Securing your data on virtual machines with Azure Disk Encryption

Securing your data on virtual machines with Azure Disk Encryption
Photo by Towfiqu barbhuiya / Unsplash

Introduction

Your OS and data disks on your virtual machines are encrypted at rest by default, it is called Server-Side Encryption (SSE) and uses platform managed keys and there is no requirement of you to configure anything. However if you want to have more control over this there is something called Azure Disk Encryption (ADE).

ADE uses Bitlocker technology in Windows and DM-crypt in Linux to encrypt your OS and data disks and integrates with Azure Key vault to help you manage and control your disk encryption keys and secrets.

When reading about this you may also see things like BEK & KEK:

Bitlocker encryption key (BEK)

  • Encrypts a disk at the first layer of security using Bitlocker, keys and secrets are managed in Azure Keyvault

Key encryption key (KEK)

  • You can configure this if you want an additional layer ontop of your security keys. ADE uses that key to wrap the encryption secrets before writing to key vault, essentially you are encrypting your bitlocker key is the way I understand it

Other types of encryption in Azure

There is something called EncryptionAtHost which provides end-to-end encryption as it is taking place on the underlying host machine of your virtual server, the server hosting your virtual machine. Your OS and data disks are encrypted at rest but EncryptionAtHost ensures that data flow from your temp and cache disks (compute to storage flow) also is encrypted.

Temporary and ephermal disks (non-persistent disks) are encrypted at rest when you enable end-to-end encryption with platform or customer managed keys.

Azure Disk Encryption can't be enabled on disks that have encryption at host enabled so do not confuse ADE and end-to-end encryption as the same thing.

Configure Azure Disk Encryption on keyvault and enable encryption on VM

In the AZ CLI you can either create a new key vault or update an existing on to be compatible with ADE:

  • New keyvault
az keyvault create --name "kvname" --resource-group "rgname" --location "<location>" --enabled-for-disk-encryption
  • Existing keyvault
az keyvault update --name "kvname" --resource-group "rgname" --enabled-for-disk-encryption "true"
  • Create a key encryption key (KEK) and encrypt your virtual machine:
az keyvault key create --name "keyName" --vault-name "kvname" --kty RSA --size 4096

az vm encryption enable -g "rgname" --name "vmname" --disk-encryption-keyvault "kvname" --key-encryption-key "keyName"

Note, the VM may need to restart.

Conclusion & Purpose of ADE

If my OS and data disks are encrypted out of the box when I created my virtual machine, why would I want to use ADE? Why use both?

It was one of the questions I was struggling with when researching this topic but I would summarize it as follows:

  • ADE enables you to have full management and control of your encryption keys and secrets
  • Enables audit of access to keys inside your Key Vault for compliance reasons
  • Ensures encryption across data lifecycle. Encryption on backups, replication and migration of disks

There are probably more reasons but the ones above certainly convince me to use ADE on machines where I want to protect my data.

Reference

Overview of managed disk encryption options - Azure Virtual Machines
Overview of managed disk encryption options
Server-side encryption of Azure managed disks - Azure Virtual Machines
Azure Storage protects your data by encrypting it at rest before persisting it to Storage clusters. You can use customer-managed keys to manage encryption with your own keys, or you can rely on Microsoft-managed keys for the encryption of your managed disks.
Creating and configuring a key vault for Azure Disk Encryption on a Windows VM - Azure Virtual Machines
This article provides steps for creating and configuring a key vault for use with Azure Disk Encryption on a Windows VM.

About me

About me
If you have landed on my page you will have already understood my passion for tech, but obviously there is more to life than that. Here I will try and outline a few of my other hobbies. Strength training I am a person who loves to move around and challenge