My issue
I try to understand how VM Disk Encryption work on Azure VM.
I have a Key Vault and a Disk Encryption set configured
What I did - 1
I create a VM with a disk selecting Encryption type = Encryption at rest with a custom managed key.
I select my Key Encryption set.
Portal confirms by displaying SSE with CMK in VM/Disks.
But:
Get-AzVMDiskEncryptionStatus says OS volume and DataVolumes are NotEncrypted.
What I did - 2
I create another VM, but this time I go to VM/Disks/Additional Settings and select Disk to encrypt.
This time the only option is a Key Vault, not a Disk Encryption Set.
I select OS and Data Disks.
Portal says:
This time, Get-AzVMDiskEncryptionStatus says:
My questions
What is the difference between the two methods?
Why Get-AzVMDiskEncryptionStatus return so un expected results?
To answer your questions:
There are Server-side encryption and Azure disk encryption. The first one of what you did is the Server-side encryption and the second one is Azure Disk encryption.
Most Azure managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data. Azure Storage Encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, are not encrypted through Azure Storage. When you enable encryption at the host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. After enabling encryption at the host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. Essentially, encryption at the host encrypts your data from end-to-end.
Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.
For more information, read here.
It's expected. The Get-AzureRmVMDiskEncryptionStatus cmdlet gets the encryption status of the virtual machine. It displays the encryption status of the operating system and data volumes. This does not get server-side encrytion status.
Related
My requirement is to encrypt newly added files in data lake storage container. For this I am creating an event grid that will trigger when a new file is added to a specified container. On the end side, I want to create a function that will encrypt the file that was added.
How to write code to create that function? or is there any alternate way?
Azure Storage automatically encrypts all data in a storage account at the service level using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. In this scenario, the additional layer of encryption continues to protect your data.
Infrastructure encryption can be enabled for the entire storage account, or for an encryption scope within an account. When infrastructure encryption is enabled for a storage account or an encryption scope, data is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys.
Service-level encryption supports the use of either Microsoft-managed keys or customer-managed keys with Azure Key Vault or Key Vault Managed Hardware Security Model (HSM) (preview). Infrastructure-level encryption relies on Microsoft-managed keys and always uses a separate key.
https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable?tabs=portal
I have a compliance activity to encrypt my Azure Service Bus premium to encrypt using a customer-managed key. However, Microsoft documentation states that the namespace must be devoid of queues, topics, and data. My ASB has data, up and running. I cannot afford to downtime to delete queues, enable encryption, and then continue. Are there any other options?
If you check this Configure customer-managed keys for encrypting Azure Service Bus document then you will find that -
Azure Service Bus Premium provides encryption of data at rest with Azure Storage Service Encryption. Service Bus Premium uses Azure Storage to store the data. All the data that's stored with Azure Storage is encrypted using Microsoft-managed keys.
And it also has a limitation as you mentioned int the question that the encryption can only be enabled for new or empty namespaces. If the namespace contains any queues or topics, then the encryption operation will fail. There is no other option.
So we have the two type of encryption as follows -
Encryption at Rest -
Azure ensures the disks used in persisting the messages are encrypted either with Microsoft Managed Keys (which is the default) or customers managed keys to encrypt the disks.
Encryption in Transit -
This is basically protecting the medium which is used to transmit the data from point-to-point. A classic of this would be TLS/SSL encryption in Azure being used to encrypt the data transmitted.
For more information read the best practices in Securing Azure Service Bus and Encrypt Azure Service Bus Data at REST using User Keys documents.
I want to implement end to end encryption for my azure vm. According to the documentation encryption at host is the solution for data encryption at rest on a host machine. The other option is possibly Azure Disk Encryption.
The solutions are mutually exclusive:
Azure Disk Encryption cannot be enabled on disks that have encryption at host enabled.
The question is what are similarities and differences between both solutions and what are the arguments to use one instead of the other.
There are significant differences in the operation of both technologies. The two cannot both be used simultaneously on the same resources/VMs.
Azure Disk Encryption:
In more of less words, this is encryption at rest on the disks connected to your VM. OS and Data. It works with BitLocker on Windows and Linux machines and stores encryption keys and secrets within Azure Key Vault.
There are also restrictions on the VM SKUs that are supported. There are additional restrictions to review.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview
https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
Encryption at host:
Encryption starts and happens on data processed by the host VM itself. The encrypted processed data is then sent back to the storage location – disk, table, blob – and then stored in its encrypted format. Therefore, the data processed and shared between the VM and its disks or other storage counterparts are encrypted, including in-transit.
https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal
Note the list of supported VM sizes. There does remain a significant amount of limitations for host-based encryption.
Your subscription also needs to have this feature enabled by requesting it through the Azure Portal. Instructions are in the link provided under Prerequisites.
Can I perform Virtual Machine disk encryption for unman aged disk through power shell or ARM template
You can perform Virtual Machine disk encryption for unmanaged disk through PowerShell or template, also Azure CLI.
You can upload the encrypted VHD to your storage account and the encryption key material to your key vault. Then, provide the encryption configuration to enable encryption on a new Azure VM. For details about the steps follow Encryption workflow. And the command example here.
We have migrated our Azure Classic storage accounts to Azure Resource Manager storage accounts. We migrated just under a week ago and data which wasn't encrypted before is still not encrypted.
We were under the impression that after migrating there would be a background task which would go through and encrypt any data in the storage account which was not already encrypted.
Is this true?
Yes, it is true. Data stored in the storage account prior to enabling the Storage Service Encryption will retroactively get encrypted. The data may not be immediately encrypted but the system background encryption process will encrypt the data, and it may take months for the process to encrypt the data.