Use BYOK for Disk Volumes Encryption

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines (VMs) deployed within the selected subscription.

05 Click on the name of the virtual machine that you want to examine.

06 In the navigation panel, under Settings, select Disks to view the disk volumes attached to the selected Azure VM.

07 On the Disks overview page, check the encryption status set for each disk volume attached, available in the Encryption column. If the encryption status is set to Not enabled, the attached disk volumes are not encrypted, therefore you can follow the steps outlined in this conformity rule to enable encryption at rest. If the status is set to Enabled, continue the audit process with the next step.

08 Click on Encryption button from the panel main menu to access the encryption configuration settings for the disk volumes attached.

09 On the Encryption page, check the Key and the Version configuration fields. If these fields are empty, the Azure Disk Encryption (ADE) service is using a service-managed key instead of a customer-managed key (i.e. Bring Your Own Key - BYOK) to encrypt the disk volumes attached to the selected Microsoft Azure virtual machine.

10 Repeat steps no. 5 – 9 for each Azure virtual machine available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) provisioned in the current subscription:

az vm list
    --query '[*].id'

02 The command output should return the requested resource identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-development-vm"
]

03 Run vm encryption show command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to examine as identifier parameter to describe the encryption key used for encrypting the disk volume(s) attached to the selected virtual machine:

az vm encryption show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm"
    --query 'disks[*].encryptionSettings[*].keyEncryptionKey.keyUrl[]'

04 The command output should return the requested configuration metadata:

[]

05 Repeat step no. 3 and 4 for each Azure virtual machine launched in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to Azure Management Console.

02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.KeyVault%2Fvaults and click + Add to create the Azure Key Vault that will store the customer-managed key (BYOK).

03 On the Create key vault page, perform the following:

1. On the Basics panel, choose the appropriate subscription, provide a unique name for the new key vault, then select the Azure region and the resource group where the vault will be deployed. Click Next : Access policy > to continue.
2. On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure Disk Encryption to retrieve secrets from the vault and unwrap encryption keys. Click Next : Virtual network > to continue the vault setup process.
3. On the Virtual network panel, configure the network access control for the new key vault. Click Next : Tags > to continue.
4. On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Click Next : Review + create > to continue the setup.
5. On the Review + create panel, review the resource configuration details, then click Create to create your new Azure Key Vault.

04 Click on the name of the newly created Microsoft Azure Key Vault.

05 In the navigation panel, under Settings, select Keys, then click Generate/Import button to create the customer-managed key required for VM disk volumes encryption.

06 On the Create a key panel, in the Name box, provide a unique name for your new encryption key, choose an activation and/or expiration date for the resource, then click Create to generate your new customer-managed key (BYOK).

07 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

08 Choose the Azure subscription that you want to access from the Subscription filter box.

09 From the Type filter box, select Virtual machine to list the virtual machines provisioned in the selected subscription.

10 Click on the name of the virtual machine that you want to reconfigure (see Audit section part II to identify the right VM).

11 In the navigation panel, under Settings, select Disks to access the disk volumes attached to the selected Azure VM.

12 On the Disks page, click Encryption to access the encryption configuration settings for the attached volumes.

13 On the Encryption page, select OS and data disks from Disks to encrypt dropdown list and use Select a key vault and key for encryption link to select the Azure Key Vault and the BYOK encryption key created earlier in the remediation process. Click Save to apply the configuration changes and enable disk encryption with BYOK. Azure Disk Encryption (ADE) service will use the new customer-managed key to encrypt the disk volumes attached to the selected Microsoft Azure virtual machine.

14 If required, repeat steps no. 10 – 13 for other virtual machines (VMs) available in the selected subscription.

15 Repeat steps no. 2 – 14 for each subscription created in your Microsoft Azure cloud account.

01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required customer-managed key (BYOK) will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support:

az keyvault create
    --name cc-prod-key-vault
    --resource-group cloud-shell-storage-westeurope
    --location westeurope
    --enable-soft-delete true
    --enable-purge-protection true
    --enabled-for-disk-encryption true

02 The command output should return the configuration metadata for the newly created Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-prod-key-vault",
  "location": "westeurope",
  "name": "cc-prod-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "1234abcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-prod-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run keyvault key create command (Windows/macOS/Linux) to create the customer-managed key (Bring Your Own Key - BYOK), required to encrypt your Azure virtual machine disk volume(s):

az keyvault key create
    --name cc-prod-byok-key
    --vault-name cc-prod-key-vault
    --kty RSA
    --size 2048
    --ops decrypt encrypt sign unwrapKey verify wrapKey
    --expires "2020-10-29T10:30:00Z"
    --protection software
    --disabled false

04 The command output should return the configuration metadata for the new encryption key:

{
  "attributes": {
    "created": "2019-10-29T12:55:52+00:00",
    "enabled": true,
    "expires": "2020-10-29T10:30:00+00:00",
    "notBefore": null,
    "recoveryLevel": "Purgeable",
    "updated": "2019-10-29T12:55:52+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "decrypt",
      "encrypt",
      "sign",
      "unwrapKey",
      "verify",
      "wrapKey"
    ],
    "kid": "https://cc-prod-key-vault.vault.azure.net/keys/cc-prod-byok-key/abcdabcdabcdabcdabcdabcdabcdabcd",
    "kty": "RSA",
    "n": " ... ",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": null
}

05 Run vm encryption enable command (Windows/macOS/Linux) using the ID of the virtual machine that you want to reconfigure (see Audit section part II to identify the right VM) as identifier parameter, to enable encryption at rest for the disk volume(s) attached to the selected virtual machine, using the customer-managed key (i.e. BYOK) created at the previous steps:

az vm encryption enable
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm"
    --disk-encryption-keyvault cc-prod-key-vault
    --key-encryption-key cc-prod-byok-key
    --key-encryption-keyvault cc-prod-key-vault
    --volume-type ALL

06 If the command request was successful, the command output should return a confirmation message, such as:

The encryption request was accepted. Please use 'show' command to monitor the progress.

07 Run vm encryption show command (Windows/macOS/Linux) using the ID of the reconfigured Azure virtual machine (VM) as identifier parameter to confirm the encryption status by listing the URL of the customer-managed key used for disk volumes encryption:

az vm encryption show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm"
    --query 'disks[*].encryptionSettings[*].keyEncryptionKey.keyUrl[]'

08 The command output should return the requested customer-managed key (BYOK) URL:

[
"https://cc-prod-key-vault.vault.azure.net/keys/cc-prod-byok-key/abcdabcdabcdabcdabcdabcdabcdabcd"
]

09 If required, repeat steps no. 5 – 8 for other Azure virtual machines available within the selected subscription.

10 Repeat steps no. 1 – 9 for each subscription available in your Microsoft Azure cloud account.