Security doesn’t just depend solely on the cloud provider. Behind the administration of the environment there must be human resources with the adequate technical and functional knowledge to avoid failures in the security of the systems. Microsoft Azure offers a good SLA, ensuring 99.9%, but it can be affected if we do not correctly implement the resources and security in our Azure subscription.
Security doesn’t just depend solely on the cloud provider. Apart from environment administration there are humans with adequate technical and functional knowledge to avoid failures in the security of the systems. Microsoft Azure offers a good SLA, ensuring 99.9%, but it can be affected if we do not correctly implement the resources and security in our Azure subscription.
One of the main reasons why Microsoft offers a comprehensive certification program is to ensure that the human resources responsible for managing Azure resources are prepared for the different situations that may arise in the environment.
For greater compliance and data protection, Azure allows us to encrypt operating system disks and encrypt data disks of Windows virtual machines.
Disk encryption works using cryptographic keys that are stored, isolated, protected and secure in Azure Key Vault.
Introduction
Both the operating system disks and data disks of a Windows virtual machine in Azure are encrypted at rest using the BitLocker encryption program. The keys are stored securely in Azure Key Vault and are used to encrypt and decrypt the disks attached to Azure virtual machines. On the other hand, disk encryption in Azure has no associated cost.
Security doesn’t just depend solely on the cloud provider. Behind the administration of the environment there must be human resources with the adequate technical and functional knowledge to avoid failures in the security of the systems. Microsoft Azure offers a good SLA, ensuring 99.9%, but it can be affected if we do not correctly implement the resources and security in our Azure subscription.
One of the main reasons why Microsoft offers a comprehensive certification program is to ensure that the human resources responsible for managing Azure resources are prepared for the different situations that may arise in the environment and to be able to face incidents that may Appear.
For greater compliance and data protection, Azure allows us to encrypt operating system disks and encrypt data disks of Windows virtual machines.
Disk encryption works using cryptographic keys that are stored, isolated, protected and secure in Azure Key Vault.
Introduction
Both the operating system disks and data disks of a Windows virtual machine in Azure are encrypted at rest using the BitLocker encryption program. The keys are stored securely in Azure Key Vault and are used to encrypt and decrypt the disks attached to Azure virtual machines. On the other hand, disk encryption in Azure has no associated cost.
- Encryption at rest
- Greater compliance and data protection
- BitLocker technology
- Warehouse in Azure Key Vault
- Secure keystore
- Disk encryption is free
Requirements and limitations on virtual machines
| COMPATIBLE | NOT COMPATIBLE |
| New Windows virtual machines with images from Azure Marketplace or custom disk images. | Basic level of Windows virtual machines |
| Existing Windows VMs on an Azure subscription. | Windows VMs created with Azure Classic Deployment Mode |
| Windows virtual machines configured through Storage Spaces. | |
| Disable encryption on operating system disks and data disks on Windows virtual machines. | |
| Standard series of virtual machines, such as A, D, DS, G, and GS |
Note: All resources created in Azure have to be part of the same subscription and region for encryption to work.
Hands-On Lab
I have configured the following resources in Azure to carry out this use case. For the laboratory, we will start from the following basis:
| Resource | Name |
| Resource Group | Cie-Rg |
| Virtual Machine | Cie-Vm |
| OS Disk | Cie_OsDisk |
| Storage Account | CieSA |
| Network Interface | Cie-Nic |
| Public IP | Cie-Ip |
| Network Security Group | Cie-Nsg |
| Virtual Network | Cie-VNet |
Where the RESOURCE column contains the resources in Azure and the NAME column identifies the resource in this lab.
Create Azure Key Vault resource and cryptographic keys for encryption
We must make sure we have the latest version of the Azure PowerShell module installed.
The first thing is to create the Azure Key Vault resource in Azure, the place where cryptographic keys will be stored securely. Azure Key Vault enables the secure implementation of keys stored in applications or services. To carry out the secure encryption of the disks of Windows virtual machines in Azure, a Key Vault instance is created where the cryptographic key will be saved, allowing the disk to be encrypted / decrypted.
We enable the Azure Key Vault provider within the Azure subscription with the following PowerShell Register-AzResourceProvider cmdlet.
We have established in the variable $ rgName the name Cie-Rg (which is the name of the resource group that we have created to carry out the laboratory). The following example shows the script necessary to enable the Azure Key Vault provider:
$rgName = “Cie-Rg”
$location = “East US”
Register-AzResourceProvider -ProviderNamespace “Microsoft.KeyVault”The Azure Key Vault resource includes cryptographic keys. The associated process resources, storage and the Windows virtual machine itself have to be in the same region and subscription, otherwise it would not work. We create an instance of Azure Key Vault with the following New-AzKeyVault cmdlet and activate Key Vault for use with disk encryption of Windows virtual machines. We specify a unique name for the Key Vault resource for keyVaultName as follows:
$keyVaultName = "myKeyVault$(Get-Random)"
New-AzKeyVault -Location $location `
-ResourceGroupName $rgName `
-VaultName $keyVaultName `
-EnabledForDiskEncryption
Save keys securely
The keys can be stored securely using software protection or hardware security module (HSM). Keys protected by software are only stored in a standard instance of Key Vault. On the other hand, to use the hardware security module (HSM) a premium instance of Key Vault is required, which has an additional cost. To create a premium instance of Key Vault we must add the parameter -Sku “Premium” to the command in the previous step. In this lab we have created a standard Key Vault store, therefore software protected keys are used and disk encryption has no associated cost.
In both software protection and hardware security module (HSM), the Azure platform must have access and permission to request the cryptographic keys when the Windows virtual machine starts and be able to decrypt the disks. We create a cryptographic key in the Key Vault instance with the following Add-AzureKeyVaultKey cmdlet. In the following example we create a key called myKey:
Add-AzKeyVaultKey -VaultName $keyVaultName `
-Name "myKey" `
-Destination "Software"Steps to encrypt a Windows virtual machine in Azure
We encrypt the Windows virtual machine with the following Set-AzVMDiskEncryptionExtension cmdlet using the key stored securely in Azure Key Vault. The following example retrieves all the key information and then encrypts the virtual machine named VMLab:
$keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
$keyVaultResourceId = $keyVault.ResourceId;
$keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $keyVaultName -Name myKey).Key.kid;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgName `
-VMName "Cie-Vm" `
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $keyVaultResourceId `
-KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
-KeyEncryptionKeyVaultId $keyVaultResourceIdWe accept the message that appears to us to continue with the secure encryption of the Windows virtual machine. The virtual machine will be restarted during the process. Once the encryption process is complete and the virtual machine is booted, we can check the encryption status with the following Get-AzVmDiskEncryptionStatus cmdlet:
Get-AzVmDiskEncryptionStatus -ResourceGroupName $rgName -VMName "Cie-Vm"