Topics
- Key concepts
- VM’s Disk Encryption
- Azure Storage encryption
Related topics
It’s recommended to use RSA-Keys to encrypt data at rest.
Key concepts
- Key/vault
- Key Encryption Key (KEK)
- Encryption at Rest
- organizations can encrypt data at rest without cost even with custom key management.
- using symmetric encryption to encrypt and decrypt large amount of data quickly.
- Encryption at Transit
VM’s Disk Encryption
Disk encryption prerequisites
Virtual Machine
Key vault with advanced access policies
KEK for additional security
Virtual Network
- Disk encryption is integrated with azure key vault.
- Disk encryption can be used for Iaas Vms’ disk.
- Win VM must have at least 2GB memmory
- Linux VM must have at least 2GB memory only for encrypted data volume
- Linux VM must have at least 8GB memory only for encrypted OS and data volume
- Disk encryption is available for VM with premium storage as well
- Only some version of OSs support it
- Vm and key vault must be in the same region and subscription for enabling disk encryption.
- Key vault secret and KEK URLs must be versioned
- secret url : https://keyvaultname.vault.azure.net/secrets/EncryptionSecretWith Kek/xxxxxxxxxxxxxx
- KEK url: https://keyvaultname.vault.azure.net/key/diskencryptionkek/xxxxxxxxxxxxxx
- Urls with port number are not acceptable e.g. https://keyvaultname.vault.azure.net:443…..
- Keys with RSA key type are not still supported for disk encryption
Azure Storage encryption
- Supports encryption at rest
- Microsoft managed keys
- Customer managed keys
- Azure key Vault for managing the key and audit key usage (storage and key vault must be in the same region, but can be in different subscriptions)
- On-prem
- Key must have these properties (by default enable)
- Soft Delete –enable-soft-delete, this attribute has been deprecated. By default, this attribute is always true.
- Do Not Purge
# This script expapines how to encrypt the data at rest in storage account by using
# customer-managed keys
RG=RG$RANDOM
STORAGE=st$RANDOM
KEYVAULT=ky$RANDOM
KEY=key$RANDOM
LOCATION=westeurope
az login
az account list
az account set --subscription <subscription-id>
az group create --name $RG --location $LOCATION
# Assign a managed identity to storage account
az storage account create --resource-group $RG --name $STORAGE # --sku Standard_RAGRS (default) --kind StorageV2 (default)
az storage account update --resource-group $RG --name $STORAGE --assign-identity
# create a key vault which has SoftDelete and Do Not Purge
az keyvault create --resource-group $RG --name $KEYVAULT --location $LOCATION --enable-soft-delete --enable-purge-protection
# get the managed identiry ID
STORAGE_ACCOUNT_PRINCIPAL=$(az storage account show --name $STORAGE --resource-group $RG --query identity.principalId --output tsv)
# set the access policy for storage identity on keyvault
az keyvault set-policy --name $KEYVAULT --resource-group $RG --object-id $STORAGE_ACCOUNT_PRINCIPAL --key-permissions get recover unwrapkey wrapkey
# create a key
az keyvault key create --vault-name $KEYVAULT --name $KEY
# configure storage to use the key for encryption
key_vault_uri=$(az keyvault show --resource-group $RG --name $KEYVAULT --query properties.vaultUri --output tsv)
key_version=$(az keyvault key list-versions --vault-name $KEYVAULT --name $KEY --query [].kid --output tsv | cut -d '/' -f 6)
az storage account update --resource-group $RG --name $STORAGE --encryption-key-name $KEY --encryption-key-version $key_version --encryption-key-source Microsoft.Keyvault --encryption-key-vault $key_vault_uri
The link to the above code in Azure CLI script.
Source
You owe your dreams your courage.
Koleka Putuma
Multi Cloud Solutions 