How can I unlock an AIX encrypted volume with a key stored on Azure Key Vault?

Matthew Nakama 0 Reputation points
2024-09-13T15:54:50.0033333+00:00

Hello, I'd like to know if it's possible to manage AIX (and IBMi) encryption keys via Azure Key Vault. Is it possible with AIX hdcryptmgr or keysvrmgr? I'm having trouble finding documentation on how to do this. I did find linux documentation, but it just says that Azure will handle it automatically, without any info on how one would configure dm-crypt to query the keys from Key Vault.

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
173 questions
{count} votes

2 answers

Sort by: Most helpful
  1. hossein jalilian 6,980 Reputation points
    2024-09-13T16:33:45.32+00:00

    Hello Matthew Nakama,

    Thanks for posting your question in the Microsoft Q&A forum.

    You would need to:

    1. Develop a custom application or script that can authenticate to Azure Key Vault using appropriate credentials and retrieve keys from Azure Key Vault, and pass those keys to the AIX or IBM i encryption tools.
    2. Ensure secure communication between your on-premises systems and Azure Key Vault, likely involving VPN or ExpressRoute connections.
    3. Implement proper key rotation and management practices that work with both Azure Key Vault and your AIX/IBM i systems.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments No comments

  2. Nehruji R 7,801 Reputation points Microsoft Vendor
    2024-09-16T07:35:02.88+00:00

    Hello Matthew Nakama,

    Greetings! Welcome to Microsoft Q&A Forum.

    Yes, you can store and manage the encryption keys via Azure Key Vault. The article one describes in depth how customer managed keys work, whereas the article second does the same for customer provided keys.

    When you use a customer manager key you are indicating a key stored in Azure Key Vault that you want to use to encrypt/decrypt data in a storage account.

    Under the hood, this key will be used to encrypt/decrypt the key that in turn will be used to actually encrypt/decrypt the data in your storage account.

    This process will be performed transparently every time you interact with your storage account.

    211152-image.png

    The following list explains the numbered steps in the diagram:

    1. An Azure Key Vault admin grants permissions to encryption keys to a managed identity. The managed identity may be either a user-assigned managed identity that you create and manage, or a system-assigned managed identity that is associated with the storage account.
    2. An Azure Storage admin configures encryption with a customer-managed key for the storage account.
    3. Azure Storage uses the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Azure AD.
    4. Azure Storage wraps the account encryption key with the customer-managed key in Azure Key Vault.
    5. For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.

    When using customer provided keys, you need to provide the encryption key itself among certain metadata you want to use for encrypting/decrypting data when reading or writing your blob data, when performing your requests:

    211125-image.png

    Hope this will help. Please let us know if any further queries.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.