Azure Encryption

As part of governance series, we will look at how to use encryption so that we can be secure and compliant in our environments.The important encryption services in azure are

Storage Service encryption

This encryption is automatically applied to the all storage accounts and manged disks and uses AES-256 symmetric encryption. We can use the Microsoft-managed encryption keys or use own custom keys. More details can be found here

Azure Disk Encryption(ADE)

Azure VM can use this fetaure to encrypt both windows and linux machines.This uses the industry standard BitLocake feature of Windows and the DM-Crupt feature of Linux to provide volume encryption for the OS and data disks.It uses Azure Key vault to control and manage the disk-encryption keys and secrets.There are two kind of keys

• BEK : BitLocker encryption keys are used to encrypt the OS boot volume and data volumes. The BitLocker keys are safeguarded in a key vault as secrets.
• KEK : Key encryption key is the asymmetric key (RSA 2048) that you can use to protect or wrap the secret in the key vault

We will see how to enable disk encryption for a windows VM using Powershell. It can also be done for a linux VM. More details can be found here

Its a two step process where in the first step we create the key vault and store the secret like KEK key in the key vault and also enable the encryption access on key vault as shown.

Function Set-EncryptionInfrastructure {
    param( 
        [String]$ManagementSubscriptionName,
        [String]$Location,
        [String]$KeyVaultResourceGroupName,
        [String]$KeyVaultName,
        [String]$KeyEncryptionKey
       

    )

    Set-AzureRmContext -SubscriptionName $ManagementSubscriptionName
    $context = Get-AzureRmContext
    $keyVaultResourceGroup = Get-AzureRmResourceGroup -name $KeyVaultResourceGroupName -AzureRmContext $context -ErrorAction SilentlyContinue

    if($keyVaultResourceGroup -eq $null)
    {
        write-host "Creating Resource Group"
        New-AzureRmResourceGroup -Name $KeyVaultResourceGroupName -Location $Location -AzureRmContext $context

    }

    $keyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -AzureRmContext $context
    if($keyVault -eq $null)
    {

        write-host "Creating new key vault"
        $keyVault = New-AzureRmKeyVault -Location $Location -ResourceGroupName $KeyVaultResourceGroupName -VaultName $keyVaultName -AzureRmContext $context

    }
 
    $keyVaultkey = Get-AzureKeyVaultKey -VaultName $KeyVaultName -name $KeyEncryptionKey -AzureRmContext $context
    if($keyVaultkey -eq $null)
    {

        write-host "Creating new key vault Key"
        $keyVaultkey = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name $KeyEncryptionKey -Destination "Software" -AzureRmContext $context

    }

    Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $KeyVaultResourceGroupName -EnabledForDiskEncryption

}

In the second step, we enable the encryption on the VMs using disk encryption extension.

Function Set-VMDiskEncryption{
    param( 
        [String]$ManagementSubscriptionName,
        
        [String]$KeyVaultResourceGroupName,
        [String]$KeyVaultName,
        [String]$KeyEncryptionKey,
        [String]$VMResourceGroup,
        [String]$VMName   
   )

    Set-AzureRmContext -SubscriptionName $ManagementSubscriptionName
    $context = Get-AzureRmContext
    $vm = Get-AzureRmVM -ResourceGroupName $VMResourceGroup -name $VMName -AzureRmContext $context -ErrorAction SilentlyContinue
    if($vm -ne $null)
    {

        $keyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -AzureRmContext $context
        $keyVaultkey = Get-AzureKeyVaultKey -VaultName $KeyVaultName -name $KeyEncryptionKey -AzureRmContext $context
        $diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
        $keyVaultResourceId = $keyVault.ResourceId;
        $keyEncryptionKeyUrl = $keyVaultkey.Key.kid;
       
        Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $VMResourceGroup -AzureRmContext $context `
            -VMName $VMName `
            -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
            -DiskEncryptionKeyVaultId $keyVaultResourceId  `
            -KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
            -KeyEncryptionKeyVaultId $keyVaultResourceId            
    }
   
}

 

$VMName = "tesing"
$VMResourceGroup = "test"
$KeyVaultResourceGroup = "KeyVaultEncryptionrg"
$KeyVaultName = "KeyVaultEncrypTest"
$KeyEncryptionKey = "KeyEncryptionKey"
$credential = Get-Credential
Login-AzureRmAccount -Credential $credential
Set-EncryptionInfrastructure -ManagementSubscriptionName "Pay-As-You-Go" -location "northeurope" -KeyVaultResourceGroupName $KeyVaultResourceGroup -KeyVaultName $KeyVaultName -KeyEncryptionKey $KeyEncryptionKey 
Set-VMDiskEncryption -ManagementSubscriptionName "Pay-As-You-Go" -KeyVaultResourceGroupName $KeyVaultResourceGroup -KeyVaultName $KeyVaultName -KeyEncryptionKey $KeyEncryptionKey -VMResourceGroup $VMResourceGroup -VMName $VMName

Once the script is executed, we can verify the keys in the key vault and also the disk encryption as shown below.