Azure Disk Encryption: Securing Data at Rest
With the pervasive use of cloud computing, it is of utmost importance to consider various measures for ensuring the confidentiality, integrity, and availability of the data. Securing data at rest is one of the many such considerations. Microsoft Azure provides a seamless way to secure data at rest through encryption-at-rest.
Encryption-at-rest is a common strategy to prevent data compromise, in case an adversary gains physical access to the storage where the data is stored. Encryption-at-rest is also a requirement for many industry and government regulations. Encryption-at-rest is simple. It uses a symmetric key (also called Data Encryption Key or DEK) to encrypt the data as it is being stored and uses the same key to decrypt the stored encrypted data when it is accessed. Multiple DEKs can be used to encrypt the partitioned data and keep the attack surface to a minimum.
Understanding the key hierarchy
Azure data encryption-at-rest scheme uses a combination of symmetric and asymmetric keys for establishing the key space. These are categorized into:
- Data Encryption Key (DEK): These are AES-256 bit symmetric keys used to encrypt data blocks. A single resource can be divided into multiple partitions. Then multiple DEKs are used to encrypt partitions.
- Key Encryption Key (KEK): These are the asymmetric keys used to encrypt the DEKs for an extra layer of security.
Encryption-at-Rest schemes in Azure
The encryption-at-rest schemes in Azure are divided into two groups:
- Server-side encryption: In server-side encryption, data-at-rest is encrypted and decrypted by the Azure resources. This is transparent to the resource customer. Server-side encryption can further be categorized into three major scenarios depending on how the cryptographic keys are managed. In all the three scenarios, encryption and decryption functionalities are provide by the the Azure resources.
- Client-side encryption: In client-side encryption, the crypto operations are performed by the client application either at the Azure resource or outside Azure ecosystem in client managed system. The key management is done by the client and is completely opaque to Azure.
Azure Disk Encryption
Azure clients using IaaS cloud model can secure their data hosted in VMs and disks through Azure Disk Encryption. Azure Disk Encryption is tightly knitted with Azure Key Vault through which provides clients the ability to manage their data encryption keys and secrets. Azure Disk Encryption uses BitLocker for Windows and DM-Crypt feature for Linux to provide OS and data disk encryption. There is no additional cost in terms of money associated with OS and data disk encryption for Azure VMs although there will be cost associated with Azure Key Vault which will be used for managing the keys for disk encryption.
Getting started with Azure Disk Encryption
Selecting the operating system: For VMs running on Microsoft Windows, Azure Disk Encryption is supported for Windows Client 8 and later while for Windows Server it is supported from 2008 R2 onwards.
Only a subset of Linux server distributions endorsed by Azure support Azure Disk Encryption.
System Configuration: Azure Disk Encryption is only available on supported distributions which meet the minimum memory requirement. For Windows it is 2 GB, while for Linux distributions it is 2 GB for data disks and 8 GB for OS disk when root file system usage is less than 4 GB, if the root file system usage is more than 4 GB, then minimum memory requirement is 2*root file system usage. Although it seems that a lot of memory is required for encrypting OS disks for Linux distributions, the VMs can be reconfigured to run with less memory once the encryption process is complete. Also, Azure Disk Encryption requires dm-crypt and vfat modules to be present on the Linux based VMs to function properly.
Create a Key Vault for Azure Disk Encryption
Azure Key Vault is tightly coupled with Azure Disk Encryption for IaaS VMs. This helps in great ways in control and management of DEKs and KEKs used for the disk encryption. A client can create a new key vault or can use an existing key vault to be used for disk encryption. It is important to note that the Azure Key Vault intended to be used for disk encryption and the VM must co-exist in the same Azure location. This makes sure that the disk encryption secrets do not cross regional boundaries.
Going forward we will be using Azure CLI for all our examples and illustrations.
To list down all the locations available for a subscription, run the following command:
az account list-locationsIf required, create a new resource group. For this demo, we will create a new resource group named myResourceGroup in the southindia location.
az group create --name myResourceGroup --location southindia{
"id": "/subscriptions/09d9d0a3-9e7a-4f32-8106-fd0db8763f83/resourceGroups/myResourceGroup ",
"location": "southindia",
"managedBy": null,
"name": "myResourceGroup",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null
}
Next step will be to create an Azure Key Vault enabled for disk encryption
az keyvault create -n myKeyManagementVault -g myResourceGroup \
--enabled-for-disk-encryption{
"id": "/subscriptions/09d9d0a3-9e7a-4f32-8106-fd0db8763f83/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyManagementVault ",
"location": "southindia",
"name": "myKeyManagementVault",
"properties": {
"accessPolicies": [{
"applicationId": null,
"objectId": "4afd3356-65f8-41ea-94bd-0bcc6645bbe4",
"permissions": {
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover"
],
"keys": [
"get",
"create",
"delete",
"list",
"update",
"import",
"backup",
"restore",
"recover"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover"
],
"storage": [
"get",
"list",
"delete",
"set",
"update",
"regeneratekey",
"setsas",
"listsas",
"getsas",
"deletesas"
]
},
"tenantId": "e8b4ba82-2e4b-4a3f-8944-8b8bdfb54f2a"
}],
"createMode": null,
"enablePurgeProtection": null,
"enableSoftDelete": null,
"enabledForDeployment": false,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"tenantId": "e8b4ba82-2e4b-4a3f-8944-8b8bdfb54f2a",
"vaultUri": "https://mykeymanagementvault.vault.azure.net/"
},
"resourceGroup": "myResourceGroup",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
Make note of the key vault id from the output.
We will now create a new virtual machine to see Azure Disk Encryption in action. For this we will spin up a VM using Windows Server Datacenter 2016 image.
az vm create -n myVM -g myResourceGroup \
--image MicrosoftWindowsServer:WindowsServer:2016-Datacenter:latest{
"fqdns": "",
"id": "/subscriptions/09d9d0a3-9e7a-4f32-8106-fd0db8763f83/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM",
"location": "southindia",
"macAddress": "00-0D-3A-F2-8B-63",
"powerState": "VM running",
"privateIpAddress": "10.0.0.4",
"publicIpAddress": "52.172.33.101",
"resourceGroup": "myResourceGroup",
"zones": ""
}
We will also create a new data disk and attach it to the VM. Once this data disk is created and attached to the VM, it needs to be initialized before it can used and encrypted.
az vm disk attach -g myResourceGroup --vm-name myVM -n dataDisk --size-gb 1 --newBefore we start encrypting the OS and data disk attached to our virtual machine, we will check their encryption status by executing the below command:
az vm encryption show --resource-group myResourceGroup --name myVM{
"disks": [{
"encryptionSettings": null,
"name": "myVM_OsDisk_1_dbf6fe9556174b739d5e04eb3b379d32",
"statuses": [{
"code": "EncryptionState/notEncrypted",
"displayStatus": "Disk is not encrypted",
"level": "Info",
"message": null,
"time": null
}]
},
{
"encryptionSettings": null,
"name": "dataDisk",
"statuses": [{
"code": "EncryptionState/notEncrypted",
"displayStatus": "Disk is not encrypted",
"level": "Info",
"message": null,
"time": null
}]
}
],
"status": null,
"substatus": null
}
Next we will encrypt the OS and data disk attached to the VM. By default the command below will encrypt both OS and data disks (initialized and formatted). In order to encrypt only OS or data disk use --volume-type option with the command. The allowed values for this flags are ALL, OS, and DATA. For Windows based VMs, you can’t encrypt the data without first encrypting the OS volume while for Linux VMs, it is possible to encrypt the data volume without having to encrypt the OS volume first. After you’ve encrypted the OS volume for Linux, disabling encryption on an OS volume for Linux IaaS VMs isn’t supported. Depending on the number and size of the volume this process can take anywhere from a few minutes to a couple of hours.
az vm encryption enable --resource-group myResourceGroup --name myVM --disk-encryption-keyvault /subscriptions/09d9d0a3-9e7a-4f32-8106-fd0db8763f83/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyManagementVault
Recheck the encryption status of the VM attached disks once the encryption process is complete.
az vm encryption show --resource-group myResourceGroup --name myVM{
"disks": [{
"encryptionSettings": [{
"diskEncryptionKey": {
"secretUrl": "https://mykeymanagementvault.vault.azure.net/secrets/629BB3DC-10E1-4C9B-AEA7-A220593EAC65/e43b0de46ee948638d065474227407d7",
"sourceVault": {
"id": "/subscriptions/09d9d0a3-9e7a-4f32-8106-fd0db8763f83/resourceGroups/myResourceGroup/providersMicrosoft.KeyVault/vaults/myKeyManagementVault"
}
},
"enabled": true,
"keyEncryptionKey": null
}],
"name": "myVM_OsDisk_1_dbf6fe9556174b739d5e04eb3b379d32",
"statuses": [{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}]
},
{
"encryptionSettings": [{
"diskEncryptionKey": {
"secretUrl": "https://mykeymanagementvault.vault.azure.net/secrets/8D014FAA-C806-4C30-8767-A5F35879E8F2/c447e0bdfe2c4e7787eb72325882eff4 ",
"sourceVault": {
"id": "/subscriptions/09d9d0a3-9e7a-4f32-8106-fd0db8763f83/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyManagementVault"
}
},
"enabled": true,
"keyEncryptionKey": null
}],
"name": "dataDisk",
"statuses": [{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}]
}
],
"status": [{
"code": "ProvisioningState/succeeded",
"displayStatus": "Provisioning succeeded",
"level": "Info",
"message": "",
"time": null
}],
"substatus": null
}
List the secrets present in the Key Vault. You will notice two secrets created in the key vault. These are the two DEKs of type Bit Locker Encryption Key (BEK) used to encrypt the two volumes attached to the disk.
az keyvault secret list --vault-name myKeyManagementVault[
{
"attributes": {
"created": "2019-08-05T08:54:58+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": "Purgeable",
"updated": "2019-08-05T08:54:58+00:00"
},
"contentType": "BEK",
"id": "https://mykeymanagementvault.vault.azure.net/secrets/629BB3DC-10E1-4C9B-AEA7-A220593EAC65",
"managed": null,
"tags": {
"DiskEncryptionKeyFileName": "629BB3DC-10E1-4C9B-AEA7-A220593EAC65.BEK",
"MachineName": "myVM",
"VolumeLabel": "Windows",
"VolumeLetter": "C:\\"
}
},
{
"attributes": {
"created": "2019-08-05T08:54:58+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": "Purgeable",
"updated": "2019-08-05T08:54:58+00:00"
},
"contentType": "BEK",
"id": "https://mykeymanagementvault.vault.azure.net/secrets/8D014FAA-C806-4C30-8767-A5F35879E8F2",
"managed": null,
"tags": {
"DiskEncryptionKeyFileName": "8D014FAA-C806-4C30-8767-A5F35879E8F2.BEK",
"MachineName": "myVM",
"VolumeLabel": "New Volume",
"VolumeLetter": "G:\\"
}
}
]
If a need arises where you need to rotate your DEKs used to encrypt the OS and data volumes rerun the same command once again. The same method can be used to move the DEKs to a difference key vault.
To disable Azure Disk Encryption, simply run the command below:
az vm encryption disable \
--resource-group myResourceGroup \
--name myVMProtecting DEKs using KEKs
An additional layer of security can be added by wrapping the DEKs used for Azure Disk Encryption using a Key Encryption Key (KEK). To achieve this we will first create an asymmetric key in our key vault.
az keyvault key create --name myKEK --vault-name myKeyManagementVault
{
"attributes": {
"created": "2019-08-05T09:34:48+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": "Purgeable",
"updated": "2019-08-05T09:34:48+00:00"
},
"key": {
"crv": null,
"d": null,
"dp": null,
"dq": null,
"e": "AQAB",
"k": null,
"keyOps": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"kid": "https://mykeymanagementvault.vault.azure.net/keys/myKEK/b7fb9e4341b94ecc958049abf1a3ceb8",
"kty": "RSA",
"n": "3/VvTOjlR/mDCpXJoPJgPwBJ+VmwSBmGAKrBI/xau8Psp3gdzqtPdaYqIXrD1Qz4V2sU/6BwxNkwxGF5+orVEZzBFS/Cgm4CQM6UuqBDpEvrRlqXRuSR9aKfYHgo/blS1CTmMNP6DynKRRbim8JPYkaTCFvCXnD5ihKW1cFfu7t1Yej0Ce0+wEgsHfVuWi393uWiMAXd0qnBW/Rj+2qz+gJKMxyii/5E8rdhvtKzJvT1ujtQG0VWAbwG0JZJzR8tAu+pAV4AVWmaQ5CzITpslx+dHv877WoNpam37vuZAKU82zsLNB2jRMFvv4HlAqWOFiMHZc/mevrtoxZsOlPiFw==",
"p": null,
"q": null,
"qi": null,
"t": null,
"x": null,
"y": null
},
"managed": null,
"tags": null
}The KEK and the DEK can reside in different key vaults but must be located in the same Azure location along with the VM. The default key wrapping algorithm is RSA-OAEP but a different one can be specified using the --key-encryption-algorithm flag.
az vm encryption enable \
--resource-group myResourceGroup \
--name myVM \
--disk-encryption-keyvault /subscriptions/09d9d0a3-9e7a-4f32-8106-fd0db8763f83/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyManagementVault \
--key-encryption-keyvault /subscriptions/09d9d0a3-9e7a-4f32-8106-fd0db8763f83/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyManagementVault \
--key-encryption-key https://mykeymanagementvault.vault.azure.net/keys/myKEK/b7fb9e4341b94ecc958049abf1a3ceb8To conclude Azure Disk Encryption protects data-at-rest by making data unrecoverable without the key and thus protects it from unauthorized reads.
References:
- https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview
- https://docs.microsoft.com/en-us/cli/azure/vm/encryption?view=azure-cli-latest
- https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
- https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites
- https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-windows
