know if key vault is platform or customer managed

Lynette Patterson 1 Reputation point
2020-11-10T14:24:08.457+00:00

How do I tell if a VM, or a backup is encrypted using a platform managed or a customer-managed key vault? I have a client who has multiple VMs, and uses Azure to backup in a different region and has established at least 1 key vault. How do I tell what the key vault manages to verify they are compliant with their own encryption standards?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,315 questions
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,636 Reputation points Microsoft Employee
    2020-11-10T23:18:55.4+00:00

    @Lynette Patterson
    Thank you for your questions!

    • Storage Service Encryption with Platform Managed Keys (SSE with PMK), is the default encryption of all managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys.
    • Storage Service Encryption with Customer Managed Keys (SSE with CMK), is used to manage encryption at the level of each managed disk, with your own keys.
    • Azure Disk Encryption (ADE), uses the Bitlocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

    The easiest way to figure out encryption status of a disk (OS and data) is by going to the VM itself.
    Select your VM -> Disks
    38893-image.png

    However, as you stated, your client has multiple VMs, therefore you can search for "Virtual Machines" in the search bar -> Filter columns by "Disk Encryption"
    **This will show you if a VM is encrypted, which indicates that the OS attached to that VM is encrypted with ADE
    38917-image.png

    Keep in mind that all your data disks will be encrypted with SSE with PMK by default. However, when it comes to managed disk encryption (both OS and data), if you enabled SSE with CMK, you can simply navigate to your disk encryption set -> Select resources
    **This will show all your disks that are encrypted with CMK, both OS and data disk.
    38874-image.png

    When it comes to finding out what Key Vault was used, you'll have to:

    Azure Disk Encryption: Figure out what Key Vault was specified within the encryption script. Or open up each BEK and open the Tags associated with that BEK.
    SSE with PMK: You can figure out what Key Vault was used by going to your Disk Encryption set and selecting "Key"
    38864-image.png

    I hope this helps! If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.