What is Azure Disk Encryption set?
Disk Encryption Set is a new resource introduced in the Azure cloud platform for simplifying the key management for managed disks. These managed disks are new and recommended disk storage offerings with Azure virtual machines for the persistent storage of data. When a disk encryption set is created, a system-assigned managed identity is created in Azure Active Directory (AD) and associated with the disk encryption set.
Azure offers Server-side encryption for all VMs to protect your data and helps you meet your organizational security and compliance commitments. Server-side encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Using the Azure Disk Encryption set, you can manage all your managed disks in a single pane window. Disk encryption sets allow you to manage encryption keys using server-side encryption for Standard HDD, Standard SSD, and Premium SSD managed disks. Data in Azure managed disks is encrypted transparently using 256-bit AES encryption.
In this blog, we are going to describe how to create an Azure Disk encryption set in a few steps. It will give you control of the encryption keys to meet your security and compliance needs in a few clicks.
Creating a Disk Encryption set
Log in to the Azure portal with a valid account. Select All Services → Disk Encryption Set
Click Create Disk Encryption set.
Creating a disk encryption set in Azure involves three steps easily under the name of Basics, Tags and Review & create
In this first Basics step, you need to provide details of your Azure Subscription and resource group associated with it in the Project Details section. You can also create a new resource group for this Azure Disk Encryption set. You may also provide a name for the new Azure subscription set and the Azure region where you want to deploy this Azure Disk Encryption Set.
Also in this step, you have to choose the encryption type from the available drop-down list. Users rely on two types of encryption keys
- Platform managed keys
- Customer managed keys
platform-managed keys for the encryption of your managed disk, or you can manage encryption using your keys. If you choose to manage encryption with your keys, you can specify a customer-managed key to use for encrypting and decrypting all data in managed disks.
So you can choose either one of the following options:
- Encryption at rest with a customer-managed key
- Double encryption with platform managed and customer-managed key
If you are using the Azure Disk Encryption set for the first time. You may need to create a new Azure key vault to store your keys before creating an Azure Disk Encryption set.
Creating Azure Key vault
Azure Key Vault is a cloud service used to manage keys, secrets, and certificates. Key Vault eliminates the need for developers to store security information in their code. It allows you to centralize the storage of your application secrets which greatly reduces the chances that secrets may be leaked. Key Vault also allows you to securely store secrets and keys backed by Hardware Security Modules or HSMs. Besides, the key vault provides logs of all access and usage attempts of your secrets so you have a complete audit trail for compliance.
Creating an azure key vault comprises five steps described as Basics, Access policy, Networking, Tags, Review & create steps.
Here too, you may need to provide your Azure Subscription and Resource group name. Provide a name for the key vault and choose the region you want to deploy the key vault resource.
Also, choose the pricing tier Standard or Premium
Recovery options – Soft delete protection will automatically be enabled on this key vault. This feature allows you to recover or permanently delete a key vault and secrets for the duration of the retention period. This protection applies to the key vault and the secrets stored within the key vault.
To enforce a mandatory retention period and prevent the permanent deletion of key vaults or secrets before the retention period elapsing, you can turn on purge protection. When purge protection is enabled, secrets cannot be purged by users or by Microsoft.
Days to retain deleted vaults – It can be configured for between 7 to 90 days. Once it has been set, it cannot be changed or removed.
Purge protection – Enabling “purge protection” on a key vault is an irreversible action. Once the purge protection property has been set to “true”, it cannot be changed or removed
The option “Disable purge protection” allows key vaults and objects to be purged during the retention period. The option “ Enable purge protection “ enforces a mandatory retention period for deleted vaults and vault objects.
Access policy – In this step, you can enable access to these three major Azure resources :
- Azure Virtual machines for deployment – Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault
- Azure resource manager for template deployment – Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault
- Azure Disk Encryption for volume encryption – Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys
Permission model – You can choose either vault access policy or Azure role-based access control. You can also view current access policies which shows the list of users with Key permission, Secret permission, and Certificate permission details ( by default Global administrator will be added as a first user )
Networking – In this section, you can specify how your Azure key vault will be accessible on the internet. You can connect to this key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint.
Tags – Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups. This step is optional, you may not provide the details.
Review & Create – In this final step, the validation process will check your inputs and allow you to create a new Azure key vault after you will get a validation passed message as shown below.
Click Create, you will get a Deployment in Progress message for a while and you get the Deployment success notification in the notification area after a few minutes. Now your newly created key vault name will be shown in the key vault drop-down menu.
Creating a new Key
In the next step, you will be asked to create a new key. Click Create new button. In this step, we will be asked to name a key we created with key type and RSA key size. On the options menu, choose to create, since we are creating a new key. Other options are Import and Restore backup. If you already have a key, you can import or restore it from the backup. Provide a name for the key.
Choose key type RSA or EC. Generally, we can choose RSA. Then choose the RSA key size. Available options are 2048, 3072, and 4096. We will choose 2048 as the RSA key size. You can also set an activation and expiration date for the key. Finally, by selecting Yes for the option Enable, your key will be ready to use immediately after creation.
Click Create to start creating a new key process. A new key will be created in a few seconds. Now a new key name will be shown in the drop-down list for selection. Along with the new key, an automatic version of the key will be created, and you can choose the key value for the version option.
In our next step, we are going to select the newly created key and its corresponding key vault for creating an Azure Disk Encryption set. Click Select to proceed further as shown below.
Now, your key and key vault values will be updated on the Azure Disk Encryption set creation page, as shown in the red box in the below picture. Now you are at the final stage to proceed to create a new Azure Disk Encryption set.
Click Next Tags > Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups. This is an optional step.
Click Review + create to proceed, the validation process will be done, and you will get a validation passed the message on the screen. Now you can click the create button to proceed further. You will get a deployment progress notification for a few minutes and get a Deployment succeeded message.
After creating the Azure Disk Encryption set, click the “Go to Resource” button, and will redirect to the newly created Azure Disk Encryption set page. You will be asked to grant permission to use the newly created key in the Azure Disk Encryption set in the subsequent step to use the encryption key.
Managing & Working with the newly created Azure Disk Encryption set
Choose Home → Disk encryption set → Name of the newly created encryption set. You will be landed on the Overview page of the newly created encryption set.
It has other major activity components such as IAM Acess Control for the disk encryption set resource, assigning other azure resources to this disk encryption set, changing the key value, adding a resource lock for the encryption set, providing automation tasks wherever this disk encryption key is used through templates, etc. In this blog, we are not covering all these activities in detail.
One important role covered in this document is IAM access control, where you can check access, provide role assignments, add roles, adding deny assignments, etc.
Check access – Review the level of access a user, group, service principal, or managed identity has to this resource.
Add role assignments – By adding role assignments granting access to this resource from other Azure resources.
View access to this resource – Currently logged in user can view the role assignments that grant access to this and other resources
View deny assignments – Currently, logged-in users can view the role assignments that have been denied access to specific actions at this scope.
Deleting the Azure Disk Encryption set
Choose the desired name of the Disk Encryption set name under Home → Disk Encryption sets, this will expand to the overview page of the particular disk encryption set. On top, you can view the Delete button as shown in the red box in the below image. On confirmation, you can delete the particular Azure Disk Encryption set.
You can confirm the delete progress on the notification area by clicking the notification icon on top of the page.
Recently, Microsoft Azure releases DCasv5 and ECasv5 series confidential VMs based on AMD processors with SEV – SNP technology. Confidential VMs are for tenants with high security and confidentiality requirements. These VMs provide a strong, hardware-enforced boundary to help meet the customer security needs. Along with DCasv5 and ECasv5 series of hardware & setting up Disk Encryption set for OS & Data disks one can achieve the highest level of security at OS & data level.
Conclusion :
Encrypting your Azure Disks used in Azure VMs provides additional security of your VM and its data, also preserves your organizational security and compliance commitments every day. But managing all your encrypted disk with a strong individual encryption key also makes your work cumbersome and becomes more complicated when you use more and more Azure VMs with an encrypted disk. Thus Azure provides a simple and easy to manage all encrypted disk storage using the Disk Encryption set, which provides a single management console to use your entire Azure encrypted infrastructure under one entity. Using moderate knowledge one can easily create encryption keys and through encryption, key vaults can apply the encryption methodology on any Azure Storage disks.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.