Varatchi

Journey on self-mastery & tech transformation

Azure Disk Encryption

Securing OS and Data Disks with Azure Disk Encryption and Key Vault policies

In this blog, I am demonstrating how to secure the OS and additional data disks in virtual machines using Azure Disk Encryption and managed keys from Azure Key Vault.

Step1 | Create a windows based VM with a data disk attached

VM resource is created.

Currently Azure Disk Encryption is disabled.

Connect the Virtual Machine via RDP.

Navigate to File and Storage Services and mount the volume added.

Leave default settings and set a name for the disk.

New volume is created. Now the we can see the OS disks and the new disk we mounted. Note the disk-icons for each disk.

Step 2 | Generate Key for volume encryption

Note: To create and manage keys, right permissions must be assigned to the user and least privilege principle must be followed always.

Navigate to Azure Key Vault → Access Control(IAM) → Add role assignment 

Assigned role: Key Vault Administrator

Navigate to ‘Keys’ and Generate new key for volume encryption

Note: Windows server supports the key size of 4096

Key is generated.

Now the key has been created, we can use this key as input for the disk encryption.

Step 3 | Enable Disk Encryption in the Virtual Machine Settings page

Navigate to the virtual machine settings page → Additional Settings

Under Encryption Settings, select the Key Vault, the created key and the version

Now the encryption feature is deployed.

Launch the Virtual machine and now the OS disks and Data disks are showing the Lock symbol which says, the disks are encrypted using windows BitLocker

To add more security, we can enable ‘Key rotation’ feature which rotates and invalidates the old key at regular intervals.

Click the key created for disk encryption

Enable rotation policy as below.

Key rotation adds more security by invalidating the old key with regular intervals.

In Summary, disks in VMs can be secured by the following steps

  1. Apply lease privilege roles to the user who manage keys using Access Control-IAM
  2. Enabling disk encryption using Azure Disk encryption (BitLocker encryption)
  3. Managed keys from Azure KeyVault with Key Rotation policy for keys

Thanks for reading this blog.

Please leave your suggestions.

#CloudSecurity #AzureDiskEncryption #AzureSecurity #Azure #MicrosoftAzure #Azure #DiskEncryption #DataSecurity #Encryption #BitLocker #VMSecurity #WindowsSecurity

Leave a Reply

Your email address will not be published. Required fields are marked *