My requirement is to encrypt newly added files in data lake storage container. For this I am creating an event grid that will trigger when a new file is added to a specified container. On the end side, I want to create a function that will encrypt the file that was added.
How to write code to create that function? or is there any alternate way?
Azure Storage automatically encrypts all data in a storage account at the service level using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. In this scenario, the additional layer of encryption continues to protect your data.
Infrastructure encryption can be enabled for the entire storage account, or for an encryption scope within an account. When infrastructure encryption is enabled for a storage account or an encryption scope, data is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys.
Service-level encryption supports the use of either Microsoft-managed keys or customer-managed keys with Azure Key Vault or Key Vault Managed Hardware Security Model (HSM) (preview). Infrastructure-level encryption relies on Microsoft-managed keys and always uses a separate key.
https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable?tabs=portal
Related
Azure SQL Server provides data encrypted at rest. Can someone help to find what is the encryption standard and version that it uses to achieve this
Transparent data encryption (TDE) encrypts SQL Server, Azure SQL Database, and Azure Synapse Analytics data files. This encryption is known as encrypting data at rest.
TDE does real-time I/O encryption and decryption of data and log files. The encryption uses a database encryption key (DEK). The database boot record stores the key for availability during recovery. The DEK is a symmetric key. It's secured by a certificate that the server's master database stores or by an asymmetric key that an EKM module protects.
TDE protects data at rest, which is the data and log files. It lets you follow many laws, regulations, and guidelines established in various industries. This ability lets software developers encrypt data by using AES and 3DES encryption algorithms without changing existing applications.
In Azure, the default setting for TDE is that the DEK is protected by
a built-in server certificate. The built-in server certificate is
unique for each server and the encryption algorithm used is AES 256.
You can find other applicable TDE approach here.
There are three scenarios for server-side encryption:
Server-side encryption using Service-Managed keys
Server-side encryption using customer-managed keys in Azure Key Vault
Server-side encryption using customer-managed keys on customer-controlled hardware
The Azure SQL Server supports all the scenarios, based upon your feasibility and requirement. Check the detailed description here.
I have a compliance activity to encrypt my Azure Service Bus premium to encrypt using a customer-managed key. However, Microsoft documentation states that the namespace must be devoid of queues, topics, and data. My ASB has data, up and running. I cannot afford to downtime to delete queues, enable encryption, and then continue. Are there any other options?
If you check this Configure customer-managed keys for encrypting Azure Service Bus document then you will find that -
Azure Service Bus Premium provides encryption of data at rest with Azure Storage Service Encryption. Service Bus Premium uses Azure Storage to store the data. All the data that's stored with Azure Storage is encrypted using Microsoft-managed keys.
And it also has a limitation as you mentioned int the question that the encryption can only be enabled for new or empty namespaces. If the namespace contains any queues or topics, then the encryption operation will fail. There is no other option.
So we have the two type of encryption as follows -
Encryption at Rest -
Azure ensures the disks used in persisting the messages are encrypted either with Microsoft Managed Keys (which is the default) or customers managed keys to encrypt the disks.
Encryption in Transit -
This is basically protecting the medium which is used to transmit the data from point-to-point. A classic of this would be TLS/SSL encryption in Azure being used to encrypt the data transmitted.
For more information read the best practices in Securing Azure Service Bus and Encrypt Azure Service Bus Data at REST using User Keys documents.
My issue
I try to understand how VM Disk Encryption work on Azure VM.
I have a Key Vault and a Disk Encryption set configured
What I did - 1
I create a VM with a disk selecting Encryption type = Encryption at rest with a custom managed key.
I select my Key Encryption set.
Portal confirms by displaying SSE with CMK in VM/Disks.
But:
Get-AzVMDiskEncryptionStatus says OS volume and DataVolumes are NotEncrypted.
What I did - 2
I create another VM, but this time I go to VM/Disks/Additional Settings and select Disk to encrypt.
This time the only option is a Key Vault, not a Disk Encryption Set.
I select OS and Data Disks.
Portal says:
This time, Get-AzVMDiskEncryptionStatus says:
My questions
What is the difference between the two methods?
Why Get-AzVMDiskEncryptionStatus return so un expected results?
To answer your questions:
There are Server-side encryption and Azure disk encryption. The first one of what you did is the Server-side encryption and the second one is Azure Disk encryption.
Most Azure managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data. Azure Storage Encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, are not encrypted through Azure Storage. When you enable encryption at the host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. After enabling encryption at the host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. Essentially, encryption at the host encrypts your data from end-to-end.
Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.
For more information, read here.
It's expected. The Get-AzureRmVMDiskEncryptionStatus cmdlet gets the encryption status of the virtual machine. It displays the encryption status of the operating system and data volumes. This does not get server-side encrytion status.
Where can we store the pfx certificate in azure so that we can get the private and public key in secure mode using java application whenever we need it.
Use Azure Key Vault to store the certifice
Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data:
Cryptographic keys: Supports multiple key types and algorithms, and enables the use of Hardware Security Modules (HSM) for high value keys.>
Certificates: Supports certificates, which are built on top of keys and secrets and add an automated renewal feature.
Azure Storage: Can manage keys of an Azure Storage account for you. Internally, Key Vault can list (sync) keys with an Azure Storage Account, and regenerate (rotate) the keys periodically.
https://learn.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates
Access Key Vault with Java
http://www.stratogator.com/2017/10/20/how-to-access-secrets-in-azure-key-vault-using-java/
I deploy Asp.Net Core web app and I need to build a storage for private keys of my clients (it is a lot of values). What should I use: Azure Key Vault or Data Protection APIs?
The second seems more easy to programming, however there is information from docs:
The ASP.NET Core data protection APIs are not primarily intended for
indefinite persistence of confidential payloads...
But I need to store keys long-term.
If you're using the keys to protect data for long term storage, I would advise you to use Azure Key vault.
Azure Key vault is a high availability service designed for storage of secrets and keys. Keys and secrets are automatically copied to Key vault instances in multiple regions and easily backed up securely using PowerShell cmdlets. You can store them in an HSM if you are dealing with highly sensitive data.
The Data Protection APIs are more designed to protect local or ephemeral data.
You should use Azure Key Vault to store your keys. The Data Protection API is always used in your application, for example it is used to encrypt and secure your session cookie.
But don't forget that you also do need to configure and store the data protection keys in a secure place. If you don't do it properly, then uses might be kicked out of your site when you redeploy.
See this document for more details:
Key storage providers in ASP.NET Core
If you do want to store the Data Protection Key ring in AKZ, then check out my implementation here:
Storing the ASP.NET Core Data Protection Key Ring in Azure Key Vault