Hi, We have several windows and linux azure VMs with disk encyrption being Platform managed keys. Around 100 disks How to collectively migrate those disks from Platform Managed Keys to Customer Managed Keys. We plan to store those CMK keys in CyberArk ? Is it possible ? Does azure support having the CMK Keys in CyberArk ?

@MS Techie I understand you have some disks and you wish to migrate the server side encryption keys from platform managed keys to customer managed keys. Please correct me if I am misunderstanding the issue. CMKs must be stored in Azure Key Vault or Azure Key Vault Managed Hardware Security Module (HSM), as noted here . To convert from PMK to CMK on an attached disk, requires you to stop the VM. You can do this migration via portal , PowerShell , or CLI . Once you have the DiskEncryptionSet created you can go through a list of VMs, stop the VM, then enable CMK for the attached disks. It's best practice to create a backup before any change to encryption is performed. Hope this helps! Let me know if you still have questions or need further assistance. Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Migrate Platform Managed Keys to Customer Managed keys

MS Techie 2,681

Hi,

We have several windows and linux azure VMs with disk encyrption being Platform managed keys. Around 100 disks

How to collectively migrate those disks from Platform Managed Keys to Customer Managed Keys.
We plan to store those CMK keys in CyberArk ? Is it possible ? Does azure support having the CMK Keys in CyberArk ?

1 answer

deherman-MSFT 33,626 Reputation points Microsoft Employee

2023-01-30T21:24:41.5833333+00:00

@MS Techie

I understand you have some disks and you wish to migrate the server side encryption keys from platform managed keys to customer managed keys. Please correct me if I am misunderstanding the issue.

CMKs must be stored in Azure Key Vault or Azure Key Vault Managed Hardware Security Module (HSM), as noted here. To convert from PMK to CMK on an attached disk, requires you to stop the VM. You can do this migration via portal, PowerShell, or CLI. Once you have the DiskEncryptionSet created you can go through a list of VMs, stop the VM, then enable CMK for the attached disks. It's best practice to create a backup before any change to encryption is performed.

Hope this helps! Let me know if you still have questions or need further assistance.

Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
MS Techie 2,681 Reputation points

2023-01-31T06:12:56.0966667+00:00

Hi @deherman-MSFT

We plan to store those CMK keys in CyberArk ? Is it possible ? Does azure support having the CMK Keys in CyberArk ?

Can we use one DiskEncryptionSet for several disks ?

Please advise

deherman-MSFT 33,626 Reputation points Microsoft Employee

2023-01-31T17:34:32.2833333+00:00

To use the CMK they must be stored in Key Vault. It is possible to import your keys from a supported HSM, but I don't see that CyberArk is listed.
Yes, DiskEncryptionSet is meant for multiple disks.

MS Techie 2,681 Reputation points

2023-02-01T07:04:23.9166667+00:00

Hi @deherman-MSFT

i read and understood that HSM is physical device used to store CMK keys... but. .. is it a physical hardware device that we can keep with ourselves ? How do we get that HSM device ?

What kind of disks can be migrated from PMK to CMK ? Is there any supported image types ?

can you please give URL which talks about implmenting HSM approach for PMK to CMK migration ?

deherman-MSFT 33,626 Reputation points Microsoft Employee

2023-02-01T22:27:14.5066667+00:00

Apologies for the confusion, while it is possible to import keys from the on-premise HSM to Azure Key vault, the keys cannot be used if directly stored in the HSM.

There are certain restrictions listed here, all image types should be supported. One important one: "Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys."

The only supported HSM method is Azure Key Vault Managed HSM.

MS Techie 2,681 Reputation points

2023-02-02T09:06:12.38+00:00

Usually while preparing master key , there will be atleast 2 people who will have different passwords and create it . How is it handled in CMK keys . who are the 2 actors ?

What is the procedure for migrating from PMK to CMK for disks , if i want to use Azure Key Vault with Managed HSM with needs premium SKU KeyVault. Do i need to create the DiskEncryptionSet for HSM Managed Azure Key Vault ( if i dont want to import key from onprem HSM) ?

Please let me know if my below understanding is correct ?

Also whatever keys we generate via the Azure Key vault (standard and premium SKUs) are called as software protected keys.

and the keys we generate from on-prem HSM are called as HSM-protected keys . ALso we can import HSM protected keys to Azure Vault Premium SKU.

MS Techie 2,681 Reputation points

2023-02-06T10:06:14.62+00:00

Hi @deherman-MSFT , i am waiting reply from your side for my above questions in earlier comment . i am repeating the same questions here for you again

Usually while preparing master key , there will be atleast 2 people who will have different passwords and create it . How is it handled in CMK keys . who are the 2 actors ?

What is the procedure for migrating from PMK to CMK for disks , if i want to use Azure Key Vault with Managed HSM with needs premium SKU KeyVault. Do i need to create the DiskEncryptionSet for HSM Managed Azure Key Vault ( if i dont want to import key from onprem HSM) ?

Please let me know if my below understanding is correct ? (written in bold and italicized)

Also whatever keys we generate via the Azure Key vault (standard and premium SKUs) are called as software protected keys.

and the keys we generate from on-prem HSM are called as HSM-protected keys . ALso we can import HSM protected keys to Azure Vault Premium SKU.

deherman-MSFT 33,626 Reputation points Microsoft Employee

2023-02-06T17:49:24.9066667+00:00

Apologies for the delay while I was investigating this.

The customer is the primary actor in the key generation process. They specify the parameters for the key and initiate the key generation process. Azure Key Vault is the secondary actor, as it uses the HSM to generate the key and stores it securely.

The procedures for using Azure Key Vault Managed HSM and Key Vault are the same and you need to setup DiskEncryptionSet. You can encrypt an existing disk with either PowerShell or CLI.

Also whatever keys we generate via the Azure Key vault (standard and premium SKUs) are called as software protected keys.
This is not correct. For premium tier you can create and store HSM-protected keys. More info on the About Keys page. and the keys we generate from on-prem HSM are called as HSM-protected keys . ALso we can import HSM protected keys to Azure Vault Premium SKU.
Correct. Information about BYOK can be found here.

MS Techie 2,681 Reputation points

2023-02-09T12:12:12.12+00:00

Hi @deherman-MSFT

1)Can you please share any architecture references of integrating on-prem HSM to Azure Keyvault HSM.

2)when we migrate from PMK to CMK , are there any cases , where the VMs fails to startup . If in such a failure situation, can we change the disk encryption back from CMK to PMK . Should we backup the VMs as a safety mechanism while performing the migration from PMK to CMK ?

3)For azure disks, can we say that Customer Managed Disks is more secure than PMK ? Yes or No

deherman-MSFT 33,626 Reputation points Microsoft Employee

2023-02-13T18:40:06.6366667+00:00

There is not any architecture references that I am aware of. The integration is that you can import the key from your on premise HSM using BYOK.

I am not aware of any common issues that would cause the VM to fail to start. If CMK is enabled for your disk, you cannot disable it. If you need to work around this, you must copy all the data to an entirely different managed disk that isn’t using customer-managed keys. Yes, you should backup disks before

CMK provides additional security features such as the ability to rotate keys, revoke keys, and audit key usage. Additionally, with CMK, you have full control over the key lifecycle and can use your own key management processes. So, it depends on your organization's security requirements and compliance needs. If you have strict security and compliance requirements, then CMK may be a better option for you. But if you don't have strict security and compliance requirements, then PMK may be a good option for you.

MS Techie 2,681 Reputation points

2023-02-15T15:15:19.7433333+00:00

When we migrate from pmk to cmk keys, do you recommend that we take backup of azure VM as a precaution, so that we can restore it back ) ? ( Just in case, there is migration failure or any kind of disaster scenario)

deherman-MSFT 33,626 Reputation points Microsoft Employee

2023-02-16T20:35:37.7566667+00:00

Yes, please do take a backup before making changes.

MS Techie 2,681 Reputation points

2023-02-20T09:22:22.9633333+00:00

Hi @deherman-MSFT

When we migrate from PMK to CMK for azure disks, we have option to store keys in azure Key vault (Software or Managed HSM az key vault). Now if it is not Managed HSM key vault , then the key is stored in azure key vault ... so it is still under the boundary control of Azure. So azure can tamper with it . How can we protect from this ?

MS Techie 2,681 Reputation points

2023-02-27T13:34:38.5566667+00:00

Hi @deherman-MSFT , i am repeating my earlier comment here. Please answer it

When we migrate from PMK to CMK for azure disks, we have option to store keys in azure Key vault (Software or Managed HSM az key vault). Now if it is not Managed HSM key vault , then the key is stored in azure key vault ... so it is still under the boundary control of Azure. So azure can tamper with it . How can we protect from this ?

Also does VM Generation 1 or Generation 2 , have any impact on migrating from PMK to CMK ?

deherman-MSFT 33,626 Reputation points Microsoft Employee

2023-02-27T19:08:33.8466667+00:00

Azure doesn't tamper with customer keys. Azure Key Vault is designed so that Microsoft does not see or extract your data. Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access.
There is no restriction on the VM Generation for CMK.

MS Techie 2,681 Reputation points

2023-02-28T12:32:11.48+00:00

Hi @deherman-MSFT

How can you say that Azure does not tamper with the Azure Key Vault ? .Because key vault is placed in microsoft azure datacenters.

Given me a technical/convincing explanation to this please .
Sign in to comment