For virtual infrastructure in Microsoft Azure, there are different settings one can use to encrypt data for virtual infrastructure. This is dependent on what kind of requirements you have as a business from a security perspective. Also one needs to understand how these different encryption features work together with other features in Microsoft Azure such as backup, eksport and such. These are some of the topics I will go trough in this blog post.
Within Microsoft Azure, once you setup a virtual machine it will have one or more managed disks. These managed disks are automatically encrypted using a feature called Azure SSE.
Azure SSE is essentially – Azure Storage encryption for data at rest, which means that data is physically encrypted within Microsoft’s datacenters, and ensuring that if some bad guys tried to get access to the physical disks they would not be able to read data on thise. Azure SSE is using Microsoft Managed Keys, so they manage the encryption keys for all data that is stored there, this is also known as Azure SSE with PMK (Platform Managed Keys). This feature is enabled by default, and there is no way to disable this feature.
So this means that Microsoft is reponsible for storing and managing the keys. Now a new option which was recently introduced is a new feature called server-side encryption with customer-managed keys for Azure Managed Disks. With this feature it now allows a customer to control the keys that are being used to encrypt the data using KeyVault. This feature is also known as Azure SSE with CMK. All machines can be converted from Azure SSE with PMK to CMK. It is important to note however that you cannot switch back from CMK to PMK. A second point here is that CMK is not compatible with ADE which is described a bit later in this post.
Switching to Azure SSD with CMK can be done directly on the disk level. The only requirement is defining something called a Disk Encryption set.
The Disk encryption set is essentially an managed identity which is used to communicate Azure AD to authenticate/access to Key Vault.
Once Azure SSE with CMK is enabled however there are some caveats.
- If this feature is enabled for your disk, you cannot disable it. If you need to work around this, you must copy all the data to an entirely different managed disk that isn’t using customer-managed keys.
- Only “soft” and “hard” RSA keys of size 2080 are supported, no other keys or sizes.
- Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.
- Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
- All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
- Disks, snapshots, and images encrypted with customer-managed keys cannot move to another subscription.
- If you use the Azure portal to create your disk encryption set, you cannot use snapshots for now.
- Managed disks encrypted using server-side encryption with customer-managed keys cannot also be encrypted with Azure Disk Encryption and vice versa
One thing is that SSE+CMK enables is that you can control which keys that are used to encrypt data at rest. However this feature means that you cannot use it together with Azure Disk Encryption. This means that if an insider or an authorized user got access to your subscription they could essentially download the VHD file of the VM and still be able to inspect the data inside it, since SSE does not encrypt the virtual hard drive.
The last option is called ADE (Azure Disk Encryption) which encrypts the OS and data drives for both Linux and Windows. For Windows it is using Bitlocker and for Linux it is using DM-crypt. This is done trough an VM extension and provides server-side encryption. This feature means that the OS and data disk will be encrypted it means that if someone manages to download a VHD file will not be able to inspect the VM.
ADE can be used together with PMK but not with CMK.
Services such as Azure Backup support backup of virtual machines encrypted using ADE. It should be noted that there are some limitations.
- You can back up and restore encrypted VMs within the same subscription and region.
- Azure Backup supports VMs encrypted using standalone keys. Any key that is a part of a certificate used to encrypt a VM isn’t currently supported.
- You can back up and restore encrypted VMs within the same subscription and region as the Recovery Services Backup vault.
- Encrypted VMs can’t be recovered at the file/folder level. You need to recover the entire VM to restore files and folders.
- When restoring a VM, you can’t use the replace existing VM option for encrypted VMs. This option is only supported for unencrypted managed disks.
In order for Azure Backup to have this, it means that it needs read-only access to back up the keys and secrets, along with the associated VMs.
Now for ADE to work, the extension within the VM needs to be allowed to communicate to both Azure Active Directory endpoints and Key Vault endpoints.So if you are using Azure Firewall or some other firewall vendor you would need to open up for the following URL/IP’s https://docs.microsoft.com/en-us/azure/key-vault/general/access-behind-firewall. Azure Site Recovery also supports ADE (Where you have the required permissions here –> https://docs.microsoft.com/nb-no/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms)
This sums up the different options. The biggest thing to be aware of that SSE does not (Regardless if it is CMK or PMK) to export a disk from the Azure Portal and open it using some disk management tool and read the data) but ADE does that since it is encrypting the OS and optionally the data disk using Bitlocker or DM-crypt.