Explore Azure Disk Encryption with Azure PowerShell – Part 2
Hi (Security) Community:
We heard, loud and clear, that you’re excited about this new capability, and based on our previous post Explore Azure Disk Encryption (ADE) with Azure PowerShell, you would love to hear more on the automation and scripting you can perform using the ADE cmdlets. Today, Sudhakar Evuri, a Senior Software Engineer in the Azure Security engineering team, is going to walk you through three more scenarios that are a bit more advanced than the scenarios described in our earlier post. The scenarios we will walk you through are:
- How to use a key encryption key in your Key Vault to further secure disk encryption secrets
- How to enable Azure Disk Encryption on your VMs using AAD client certificate credentials instead of AAD client secrets
- How to enable encryption on newly attached data volumes
Prerequisites
To get you started, here’s a friendly reminder of the important prerequisites that must be completed in advance on any Azure virtual machine you wish to launch these scripts:
- Azure subscription: A valid Azure subscription is needed to use Azure Disk Encryption. Visit https://azure.microsoft.com/en-us/pricing/purchase-options/ to get one.
- Azure PowerShell: Please use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell version 1.2.1. Azure Disk Encryption is NOT supported by Azure SDK version 1.1.0. If you are receiving an error related to using Azure PowerShell 1.1.0, please see the article Azure Disk Encryption Error Related to Azure PowerShell 1.1.0.
- Azure Key Vault: Azure Disk Encryption securely stores the encryption secrets in a specified Azure Key Vault. Please refer to the Azure Key Vault – Step by Step blog post for more details on how to setup a Key Vault in Azure. In order to make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VM to be co-located in the same region. Please create and use a Key Vault that is in the same region as the VM to be encrypted. If you want to use the key encryption key feature, create a key in the Key Vault by following instructions on this page. This key will be used as the key encryption key to wrap the encryption secrets.
- Azure Active Directory Client ID and Secret: In order to write encryption secrets to a specified Key Vault, Azure Disk Encryption needs the Client ID and the Client Secret of the Azure Active Directory application that has permissions to write secrets to the specified Key Vault. Please refer to the Azure Key Vault – Step by Step blog post for more detail on how to get the Azure Active Directory Client ID and Client Secret using the Azure portal.
- IaaS V2 VM in Azure: Azure Disk Encryption works only on IaaS V2 VMs (virtual machines created using the Azure Resource Management model). Please refer to Different ways to create a Windows virtual machine with Resource Manager for information on how to create IaaS V2 virtual machines in Azure. Please create a VM in the same region as the Key Vault. Latest gallery images in Azure are optimized to finish the encryption operation quickly. So it is recommended to create VMs using the latest gallery images.
Using a key encryption key to further secure data encryption secrets
By following the instructions in our earlier post, you would have been able to enable encryption on your IaaS VMs. Let’s take it a step further and use a key encryption key (KEK) to further secure your data encryption secrets. Azure Disk Encryption lets you specify an existing key in your Key Vault to wrap disk encryption secrets that were generated while enabling encryption. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault. We’ll try this on another VM that was not encrypted earlier.
Let’s initialize some variables that are required to enable encryption on a VM and use a key encryption key.
Note:
The key encryption key (KEK) must have been created in the same key vault where the disk encryption secrets are placed. Please refer to the article Getting Started with Azure Key Vault to learn how to create keys in Key Vault.
$rgName = 'MySecureRg';
$vmName = ‘ExtraSecureVM’;
$aadClientID = <your-aad-client-id>;
$aadClientSecret = <your-aad-client-secret>;
$KeyVaultName = 'MySecureVault';
$keyEncryptionKeyName = 'MyKeyEncryptionKey';
$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
$keyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
Next, set the Key Vault access policies to allow the specified Azure AD application to write secrets to Key Vault:
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all -ResourceGroupName $rgname;
Once the policies have been defined, the Azure fabric needs to access encryption secrets in order to boot the encrypted VM. Use the below cmdlet to set Key Vault access policies to allow Azure platform access the encryption secrets placed in the Key Vault:
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $rgname –EnabledForDiskEncryption
Now we’re all set to enable encryption on the given VM and use a key encryption key to wrap the disk encryption secrets. Important: We advise you to save your work before running this cmdlet. This cmdlet uses the variables initialized above. We also recommend that you create IaaS VMs using the latest gallery images to quickly enable encryption.
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;
If you would like to learn more about capabilities in this area, please refer to the Set-AzureRmVmDiskEncryptionExtension cmdlet for full list of options and details. Once you have enabled and deployed an encrypted VM, the Get-AzureRmVmDiskEncryptionStatus cmdlet displays the encryption status of the OS volume, data volumes and the encryption secret Key Vault URLs of OS volume:
Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName
Based on the above, you should be able to see that both the OS volume and the data volumes are now encrypted. The OS volume encryption settings also show the key encryption key information in addition to disk encryption key information as shown below.
OsVolumeEncrypted : True
OsVolumeEncryptionSettings : {
"DiskEncryptionKey": {
"SecretUrl": "https://mysectestvault.vault.azure.net/secrets/36606F9D-07D9-4E68-8087-79277C83AAC2/36e832facb2f4e38990b107e03d27189",
"SourceVault": {
"ReferenceUri": "/subscriptions/0ee9d577-9bc4-4a32-a4e8-c29981025378/resourceGroups/MySecureRg/providers/Microsoft.KeyVault/vaults/MySecTestVault"
}
},
"KeyEncryptionKey": {
"KeyUrl": "https://mysectestvault.vault.azure.net/keys/Testkek/9dfdb7ca054746e48eb4dda11d108faf",
"SourceVault": {
"ReferenceUri": "/subscriptions/0ee9d577-9bc4-4a32-a4e8-c29981025378/resourceGroups/MySecureRg/providers/Microsoft.KeyVault/vaults/MySecTestVault"
}
}
}
DataVolumesEncrypted : True
Using an AAD client certificate instead of client secret
So far we’ve used an AAD client secret to authenticate to AAD and write encryption secrets to key vault. For security conscious users who don’t want the client secrets to be hard coded or leaked inside your script files, Azure Disk Encryption supports AAD client certificate based authentication. In this section we’ll walk you through how to use AAD client certificate credentials while enabling encryption. Please create a fresh VM or use an existing VM that wasn’t encrypted earlier for the below steps.
In order to use certificate based authentication, first a certificate needs to be created and associated with the AAD application. Install the Azure AD PowerShell module and follow the examples in the documentation of the New-MsolServicePrincipalCredential cmdlet to associate a certificate with an existing AAD application.
After the certificate is associated with the AAD application, the private certificate (.pfx) needs to be uploaded to your key vault and deployed to the local machine’s ‘My’ certificate store in the VM. We do this so that the Azure Disk Encryption VM extension can consume the certificate deployed to the VM and authenticate to AAD and be able to write secrets to Azure Key Vault. Follow the steps in Deploy Certificates to VMs from customer-managed Key Vault to do this. You can also use the Add-AzureRmVMSecret followed by the Update-AzureRmVM cmdlets to deploy the certificate to the VM after it’s uploaded to Key Vault.
Ok, now that the certificate is associated with the AAD application and the .pfx file is deployed to the VM, we will initialize few more variables in addition to the variables initialized in the above section to enable encryption on the given VM.
$anotherVM = ‘SuperSecureVM’;
$certPath = 'C:\myaadapp.cer';
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2;
$cert.Import($certPath);
$aadClientCertThumbprint = $cert.Thumbprint;
Now we’re all set to enable encryption on the given VM using the AAD client certificate credentials and use a key encryption key to wrap the disk encryption secrets.
We advise you to save your work before running this cmdlet. This cmdlet uses the variables initialized above. We also recommend that you create IaaS VMs using the latest gallery images to quickly enable encryption.
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $anotherVM -AadClientID $aadClientID -AadClientCertThumbprint $aadClientCertThumbprint -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;
Please refer to the Set-AzureRmVmDiskEncryptionExtension cmdlet for full list options and details.
Encrypting newly attached data volumes
Once you have successfully enabled encryption on the OS and data volumes of a VM, you may want to attach additional data disks and enable encryption on the volumes in the attached data disk. Once the encryption operation is successfully performed on a given VM, in order to trigger the encryption operation again, a new sequence version (different from the previous) should be used. Following steps demonstrate how to do that.
First follow the steps here to attach a data disk to a VM and create volumes on the data disk. Azure Disk Encryption is a volume based encryption solution so it’s important to create volumes on new data disks to be able to encrypt them. We will now initialize some variables:
$anotherVM = ‘SuperSecureVM’;
$sequenceVersion = [Guid]::NewGuid();
Now we’re all set to enable encryption on the data volumes in the newly attached data disks using the following command:
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $anotherVM -AadClientID $aadClientID -AadClientCertThumbprint $aadClientCertThumbprint -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId –SequenceVersion $sequenceVersion
We hope you’ve enjoyed this update and are able to use the advanced capabilities provided by Azure Disk Encryption. Please let us know if you have any feedback by adding a comment below. We’ll work hard to meet your needs for additional content, tips and tricks in the future!
Sudhakar Evuri
Senior Software Engineer, Azure Security engineering
Comments
- Anonymous
February 03, 2016
Great walkthrough ! Thanks for sharing these details. One question though: are their any plans to enable support for the customer's own HSM, i.e. if we want to retain the keys / secrets on premises.