|   Trend Micro Cloud One™
Open menu

Use BYOK for Disk Volumes Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: High (not acceptable risk)
Rule ID: VirtualMachines-008

Ensure that your Azure virtual machine disk volumes are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for disk encryption), in order to have a more granular control over your VM data encryption/decryption process.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

When you create and use your own customer-managed keys with Azure VM disk volumes, you gain full control over who can use the encryption keys and who can access the data encrypted on your volumes.

Audit

To determine if your Azure virtual machine disk volumes are encrypted with customer-managed keys, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines (VMs) deployed within the selected subscription.

05 Click on the name of the virtual machine that you want to examine.

06 In the navigation panel, under Settings, select Disks to view the disk volumes attached to the selected Azure VM.

07 On the Disks overview page, check the encryption status set for each disk volume attached, available in the Encryption column. If the encryption status is set to Not enabled, the attached disk volumes are not encrypted, therefore you can follow the steps outlined in this conformity rule to enable encryption at rest. If the status is set to Enabled, continue the audit process with the next step.

08 Click on Encryption button from the panel main menu to access the encryption configuration settings for the disk volumes attached.

09 On the Encryption page, check the Key and the Version configuration fields. If these fields are empty, the Azure Disk Encryption (ADE) service is using a service-managed key instead of a customer-managed key (i.e. Bring Your Own Key - BYOK) to encrypt the disk volumes attached to the selected Microsoft Azure virtual machine.

10 Repeat steps no. 5 – 9 for each Azure virtual machine available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) provisioned in the current subscription:

az vm list
    --query '[*].id'

02 The command output should return the requested resource identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-development-vm"
]

03 Run vm encryption show command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to examine as identifier parameter to describe the encryption key used for encrypting the disk volume(s) attached to the selected virtual machine:

az vm encryption show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm"
    --query 'disks[*].encryptionSettings[*].keyEncryptionKey.keyUrl[]'

04 The command output should return the requested configuration metadata:

[]

If the command output returns the following message: "Azure Disk Encryption is not enabled", the attached disk volumes are not encrypted, therefore you can follow the steps outlined in this conformity rule to enable encryption at rest. If the vm encryption show command output returns an empty array (i.e. []), as shown in the example above, the disk volumes attached to the selected Microsoft Azure virtual machine are encrypted using a service-managed key instead of a customer-managed key (BYOK) to encrypt the disk volumes attached to the selected Microsoft Azure virtual machine.

05 Repeat step no. 3 and 4 for each Azure virtual machine launched in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To configure Azure Disk Encryption (ADE) service to encrypt your Azure virtual machine disk volumes using your own customer-managed key (also known as Bring Your Own Key - BYOK), perform the following actions:

Note: Azure disk encryption is not currently supported by Basic, A-series VMs. Check the Azure documentation to determine if your virtual machines (VMs) have the minimum memory requirements for disk encryption.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.KeyVault%2Fvaults and click + Add to create the Azure Key Vault that will store the customer-managed key (BYOK).

03 On the Create key vault page, perform the following:

  1. On the Basics panel, choose the appropriate subscription, provide a unique name for the new key vault, then select the Azure region and the resource group where the vault will be deployed. Click Next : Access policy > to continue.
  2. On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure Disk Encryption to retrieve secrets from the vault and unwrap encryption keys. Click Next : Virtual network > to continue the vault setup process.
  3. On the Virtual network panel, configure the network access control for the new key vault. Click Next : Tags > to continue.
  4. On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Click Next : Review + create > to continue the setup.
  5. On the Review + create panel, review the resource configuration details, then click Create to create your new Azure Key Vault.

04 Click on the name of the newly created Microsoft Azure Key Vault.

05 In the navigation panel, under Settings, select Keys, then click Generate/Import button to create the customer-managed key required for VM disk volumes encryption.

06 On the Create a key panel, in the Name box, provide a unique name for your new encryption key, choose an activation and/or expiration date for the resource, then click Create to generate your new customer-managed key (BYOK).

07 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

08 Choose the Azure subscription that you want to access from the Subscription filter box.

09 From the Type filter box, select Virtual machine to list the virtual machines provisioned in the selected subscription.

10 Click on the name of the virtual machine that you want to reconfigure (see Audit section part II to identify the right VM).

11 In the navigation panel, under Settings, select Disks to access the disk volumes attached to the selected Azure VM.

12 On the Disks page, click Encryption to access the encryption configuration settings for the attached volumes.

13 On the Encryption page, select OS and data disks from Disks to encrypt dropdown list and use Select a key vault and key for encryption link to select the Azure Key Vault and the BYOK encryption key created earlier in the remediation process. Click Save to apply the configuration changes and enable disk encryption with BYOK. Azure Disk Encryption (ADE) service will use the new customer-managed key to encrypt the disk volumes attached to the selected Microsoft Azure virtual machine.

14 If required, repeat steps no. 10 – 13 for other virtual machines (VMs) available in the selected subscription.

15 Repeat steps no. 2 – 14 for each subscription created in your Microsoft Azure cloud account.

Using Azure Console

01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required customer-managed key (BYOK) will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support:

az keyvault create
    --name cc-prod-key-vault
    --resource-group cloud-shell-storage-westeurope
    --location westeurope
    --enable-soft-delete true
    --enable-purge-protection true
    --enabled-for-disk-encryption true

02 The command output should return the configuration metadata for the newly created Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-prod-key-vault",
  "location": "westeurope",
  "name": "cc-prod-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "1234abcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-prod-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run keyvault key create command (Windows/macOS/Linux) to create the customer-managed key (Bring Your Own Key - BYOK), required to encrypt your Azure virtual machine disk volume(s):

az keyvault key create
    --name cc-prod-byok-key
    --vault-name cc-prod-key-vault
    --kty RSA
    --size 2048
    --ops decrypt encrypt sign unwrapKey verify wrapKey
    --expires "2020-10-29T10:30:00Z"
    --protection software
    --disabled false

04 The command output should return the configuration metadata for the new encryption key:

{
  "attributes": {
    "created": "2019-10-29T12:55:52+00:00",
    "enabled": true,
    "expires": "2020-10-29T10:30:00+00:00",
    "notBefore": null,
    "recoveryLevel": "Purgeable",
    "updated": "2019-10-29T12:55:52+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "decrypt",
      "encrypt",
      "sign",
      "unwrapKey",
      "verify",
      "wrapKey"
    ],
    "kid": "https://cc-prod-key-vault.vault.azure.net/keys/cc-prod-byok-key/abcdabcdabcdabcdabcdabcdabcdabcd",
    "kty": "RSA",
    "n": " ... ",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": null
}

05 Run vm encryption enable command (Windows/macOS/Linux) using the ID of the virtual machine that you want to reconfigure (see Audit section part II to identify the right VM) as identifier parameter, to enable encryption at rest for the disk volume(s) attached to the selected virtual machine, using the customer-managed key (i.e. BYOK) created at the previous steps:

az vm encryption enable
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm"
    --disk-encryption-keyvault cc-prod-key-vault
    --key-encryption-key cc-prod-byok-key
    --key-encryption-keyvault cc-prod-key-vault
    --volume-type ALL

06 If the command request was successful, the command output should return a confirmation message, such as:

The encryption request was accepted. Please use 'show' command to monitor the progress.

07 Run vm encryption show command (Windows/macOS/Linux) using the ID of the reconfigured Azure virtual machine (VM) as identifier parameter to confirm the encryption status by listing the URL of the customer-managed key used for disk volumes encryption:

az vm encryption show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm"
    --query 'disks[*].encryptionSettings[*].keyEncryptionKey.keyUrl[]'

08 The command output should return the requested customer-managed key (BYOK) URL:

[
"https://cc-prod-key-vault.vault.azure.net/keys/cc-prod-byok-key/abcdabcdabcdabcdabcdabcdabcdabcd"
]

09 If required, repeat steps no. 5 – 8 for other Azure virtual machines available within the selected subscription.

10 Repeat steps no. 1 – 9 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Jun 24, 2020

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Use BYOK for Disk Volumes Encryption

Risk level: High