Data Security with Azure Data Encryption
Private data sources should be encrypted with Customer Managed Key (CMS) on OS disk and data disk level.
Solution: Adding or enabling a Customer Managed Key (CMK) on OS disk and data disks adds an additional security to Azure Virtual Machine managed disks.
Alternative Solution: For Windows operating system VMs, encryption is done using BitLocker encryption technology whereas for Linux operating system VMs encryption is done using DM-Crypt technology and they are integrated with Azure key vault and it allows them to manage encryption keys.
Impact: High (Category: Security)
Benefits:
- High Security and Data Encryption at temp disks, caches, and data flows between Compute and Storage resources.
- Resources encrypted with Customer Managed Key (CMK) cannot be moved to another resource group or another subscription.
Implementation & Timeliness: 1 Week (also depends on number of resources that are being used across subscriptions)
Policy: Virtual Machines should encrypt temp disks, caches, and data flows between Compute and Storage resources.
By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren't encrypted, and data isn't encrypted when flowing between compute and storage resources.
Implementation: Use Azure Disk Encryption to encrypt all your data.
Remediation steps:
👉 Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks
👉 Configure encryption with customer-managed keys stored in Azure Key Vault
Create an Azure Key Vault with Purge protection Enabled
Access configuration: Azure role-based access control
For Resource access: grant access to resource types Azure Virtual Machines for deployment
Enable public access and Allow access from Selected networks
Once Created >> navigate to Objects >> Keys >> click on Generate to create a key
Give a Key Name and Leave both Key Type set to RSA and RSA Key Size set to 2048
Create a new disk encryption set in Azure
Navigate to the disk encryption set once it is deployed, and select the displayed alert.
This will grant your key vault permissions to the disk encryption set.
Enable customer-managed keys with SSE on Azure VM
Step 1: Select your target Azure Virtual Machine
Step 2: From pane Settings >> select Disk
Step 3: From Disk section select VM OS Disk
Step 4: From pane settings >> select Encryption
note: Changes to encryption settings can only be made when the disk is unattached or the managing virtual machine(s) are deallocated.
Step 5: From Encryption section >> select Encryption type Encryption at-rest with a customer-managed key >> select target disk encryption set >> save
Note: Once the customer managed key is used, then you revert back to platform managed key.
Remediation steps to Disable Public Access of Key Vault
Step 1: Select the target VM >> Copy Virtual network and Subnet (use these for step 3) >> Disk OS >> Encryption >> copy disk encryption set name
Step 2: Open the copied disk encryption set >> go to settings and keys >> From Change key - copy key Vault
Step 3: Access the Key Vault which you have copied >> from Settings select Networking >> select Allow public access from specific virtual networks and IP addresses >> add allowed virtual networks to connect to your resource securely.
Disable Customer Managed Key (CMK) in Azure
If customer managed key (CMK) is enabled for azure managed disk, then you cannot disable it. To work with data you must copy all the data to an entirely new created managed disk that isn't using customer-managed keys encryption.
👉 Windows: Copy a Azure managed disk
👉 Linux: Copy a Azure managed disk