How to Encrypt Azure Data Sources with Customer Managed Key (CMK)?

Data Security with Azure Data Encryption

Private data sources should be encrypted with Customer Managed Key (CMS) on OS disk and data disk level​.

Solution:​ Adding or enabling a Customer Managed Key (CMK) on OS disk and data disks adds an additional security to Azure Virtual Machine managed disks.

Alternative Solution: For Windows operating system VMs, encryption is done using BitLocker encryption technology whereas for Linux operating system VMs encryption is done using DM-Crypt technology and they are integrated with Azure key vault and it allows them to manage encryption keys.

Impact:​ High (Category: Security)

Benefits: 

  • High Security and Data Encryption​ at temp disks, caches, and data flows between Compute and Storage resources.
  • Resources encrypted with Customer Managed Key (CMK) cannot be moved to another resource group or another subscription.

Implementation & Timeliness: ​1 Week (also depends on number of resources that are being used across subscriptions)​

Policy: Virtual Machines should encrypt temp disks, caches, and data flows between Compute and Storage resources.

By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources.

Implementation: Use Azure Disk Encryption to encrypt all your data.

Remediation steps:

👉 Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks

👉 Configure encryption with customer-managed keys stored in Azure Key Vault

Create an Azure Key Vault with Purge protection Enabled

Access configuration: Azure role-based access control

For Resource access: grant access to resource types Azure Virtual Machines for deployment

Enable public access and Allow access from Selected networks

Once Created >> navigate to Objects >> Keys >> click on Generate to create a key

Give a Key Name and Leave both Key Type set to RSA and RSA Key Size set to 2048

Create a new disk encryption set in Azure

Navigate to the disk encryption set once it is deployed, and select the displayed alert. 

This will grant your key vault permissions to the disk encryption set.

Enable customer-managed keys with SSE on Azure VM

Step 1: Select your target Azure Virtual Machine

Step 2: From pane Settings >> select Disk

Step 3: From Disk section select VM OS Disk

Step 4: From pane settings >> select Encryption

note: Changes to encryption settings can only be made when the disk is unattached or the managing virtual machine(s) are deallocated.

Step 5: From Encryption section >> select Encryption type Encryption at-rest with a customer-managed key >> select target disk encryption set >> save

Note: Once the customer managed key is used, then you revert back to platform managed key.

Remediation steps to Disable Public Access of Key Vault

Step 1: Select the target VM >> Copy Virtual network and Subnet (use these for step 3) >> Disk OS >> Encryption >> copy disk encryption set name

Step 2: Open the copied disk encryption set >> go to settings and keys >> From Change key - copy key Vault

Step 3: Access the Key Vault which you have copied >> from Settings select Networking >> select Allow public access from specific virtual networks and IP addresses >> add allowed virtual networks to connect to your resource securely.

Disable Customer Managed Key (CMK) in Azure

If customer managed key (CMK) is enabled for azure managed disk, then you cannot disable it. To work with data you must copy all the data to an entirely new created managed disk that isn't using customer-managed keys encryption.

👉 Windows: Copy a Azure managed disk  

👉 Linux: Copy a Azure managed disk