Azure VM Disk Encryption - Storage Side Encryption vs Azure Disk Encryption

July 30, 2020

11 min to read.

Abs07act

Encryption is a vast and complex topic. No matter how much you 07y to make it easy; it turns into more complex subject. The encryption is very close to heart for security teams in any organization.

Especially for security people working for a Bank or Financial institutes, the encryption will always be favorite topic. The audit, compliance and security teams always tend to evaluate encryption in and out.

With more and more organizations moving their workloads to Azure Cloud; encryption becomes hot topic. The most common service used on Azure is Azure VMs.

I have been part of the discussions where “Encryption of Azure VMs and its disk” took more than 6 months to satisfy all queries of security teams.

As always, I don’t want every discussion to continue that long and this is what this blog post targets. In this blog I have added crucial information about “Azure VM Disk Encryption” that will help you to make decision faster and move toward the Azure journey quickly for large scale adoption.

I will TRY to explain the Azure VM encryption scenarios and common questions which are not provided by Vast documentation of Azure VM Disk Encryption present – here, here, here, here and here.

Before we go forward it is always best to start with FAQ on Azure IaaS Disk Encryption.

Lets go!

The topic of encryption vastly moves around two things –

1. Encryption at rest
2. Encryption in 07ansit

For Azure VMs when we talk about encryption for Azure VMs, it is mainly applicable to “Encryption at rest”. The data stored on Azure VM disks should be encrypted in the major requirement of organizations. Apart from that other requirements are –

1. I want to use my secret keys for encryption
2.      When I backup VM, the backup should also be encrypted
3.      When I restore VM from backup; it should be encrypted
4.      When I perform DR replication for VM; it should be encrypted
5.      My VM stored data should not be readable unless decryption keys are provided
6.      If I download the encrypted Azure VM from Azure and provision in my on premises then data on VM should not be readable
7.      What is difference between Azure managed disk “Server Side Encryption” (SSE) and “Azure Disk Encryption” (ADE)? When to use what?

These are the common questions/ requirements I have seen most of the companies demand for Azure VM
encryption. Let us see how Azure VM encryption options resolve it.

Azure VM managed disks can be encrypted using two methods –

1. Server Side Encryption
2. Azure Disk Encryption

Server side encryption [SSE] is default offering. All of your Azure VMs managed disks are always encrypted by default when they are stored on underlying storage. This is encryption at rest by the Azure itself.

You don’t need any additional efforts to perform Server Side Encryption of Azure VM Managed disk. More importantly you can't disable it as well. Server side encryption is not optional, and always provided behind the scene.

Azure Disk Encryption [ADE] is optional. This method provides an ex07a layer of security over SSE. This encryption is performed at OS level of VM and hence there are many conditions where ADE is supported/ not supported. Where as SSE is always performed at backend storage level and has nothing to do with OS of VM being encrypted.

So there are no non-supported scenarios for Server Side Encryption of Azure VM Managed Disks.

For Windows VM ADE is configured using BitLocker.

For Linux VM ADE is configured using DMCrypt.

Differences are best explained by diagrams. Refer to below diagram where SSE and ADE is performed in the context of Azure VM.

As you can see in the diagram, ADE is performed at VM OS level whereas SSE is performed at the storage level. All Managed disks of Azure VM are backed by Azure page blobs and this is where SSE is performed. As ADE is performed at OS level, we use tools such as BitLocker and DMCrypt.

In next section we will talk about common questions/ requirements talked about Azure VM Managed Disk Encryption and at last we will discuss the hottest topic ADE vs SSE and when to use what.

This scenario is called as Bring your own Key [BYOK] scenario.

BYOK – Also known as – Customer Managed Keys [CMK] – Can be used for SSE and ADE both. For SSE as of today it is in preview in some regions. CMK can be leveraged only if you use Azure Key Vault. You can’t bypass Azure Key Vault for CMK.

BYOK process for SSE or ADE is as follows –

• You bring your key in Azure Key Vault. We call it as Key encryption key [KEK].

• Azure Key Vault uses KEK to encrypt the Data Encryption Key[DEK] while stored in Key Vault.

• DEK is actually generated automatically internally, and used for SSE or ADE, and for actual encryption of underlying data at rest of Azure VMs.

• This scenario of using your own key, using Azure Key Vault is called as Customer Managed Key [CMK].

• Remember in CMK, your key is never used for actual encryption of the Azure VM disk stored data. Rather it is used to encrypt the Data Encryption Key. The DEK is the real key which encrypts the data stored on Azure VM disks.

No. SSE is provided by default and you can’t opt out of it or disable it. Even if you don’t use CMK, Azure will always keep data encrypted based on system/ platform generated keys and data at rest is always encrypted.

No. As soon as the data leaves the boundary of underlying storage, it is decrypted. Hence if you provision VM vhd or data disk vhd the data will be readable.

Note – If you want to use SSE only as it avoid lot of operational overheads and fastest way to compliance; but worried what if someone downloads the VHD; then you can create Azure Custom Role in such a way that it res07icts the download VHD completely.

Then assign the custom role created to those users at subscription level who work on daily VM operations using Azure portal, CLI or PowerShell.

Contact me if you need such a custom role built in your azure subscription.

Yes. ADE is completely optional.

Yes. The Data disk and OS disks will not be readable.

Yes. VM backup is also encrypted. If you restore such a VM from backup then restored VM is also encrypted using existing keys.

CMK is where customer brings their own key. If you use your key for SSE or ADE then management and lifecycle of key is in your hand.

If key is lost, means data is lost. There won’t be any recovery point/ option available, if the KEK used for encryption of DEK, is lost.

As a failsafe mechanism always enable Soft Delete on Azure Key Vault and never perform Hard delete on Azure Key Vault secrets, Keys and certificates.

<07 style="height: 28.9pt;">
OS

Windows

Linux
<07 style="height: 28.9pt;">
Gallery image

Yes

Yes
<07 style="height: 49.9pt;">
Marketplace, like CIS Benchmarked images

Yes

Yes
<07 style="height: 49.9pt;">
Custom built using Sysprep or generalized images

Yes

Yes

Note – As SSE is performed at the backend store of managed disks; the image type of VM really doesn’t matter.

What type of Azure VM images are supported for ADE?

<07 style="height: 29.2pt;"> <07 style="height: 29.2pt;"> <07 style="height: 29.2pt;"> <07 style="height: 29.2pt;">

OS

Windows

Linux

Gallery image

Yes

Yes

Marketplace, like CIS Benchmarked images

Yes

No

Custom built using Sysprep or generalized images

No*

No*

Note - Custom images and marketplace images for Linux OS are supported for encryption on case by case basis.

ADE VMs must be encrypted one by one, the generalization process breaks ADE, that’s not a supported approach.

Customers could reduce some time using automation tools to 07igger the encryption process as soon as the VM provisioning completes and any possible OS configuration details (orches07ate the process), but at this moment it is not possible to create images with OS already encrypted using ADE, as mentioned the VMs should be encrypted one by one.

Deploy the VM using an endorsed supported gallery images

Encrypt the VM prior installing any apps or performing customizations

Once the VM is encrypted then you can install apps and perform any needed customizations like hardening, Antivirus install, monitoring agent install and so on (making sure those customization will not break ADE pre-requisites).

No. When VM is ADE encrypted then individual folder backup is not supported. You need to first decrypt the VMs and then take individual folder backups.

Above point is valid for Windows and Linux both.

When VM is ADE encrypted, always take entire VM backup.

Yes.

If you have a Linux VM already provisioned with Data disk having data stored on it and if you perform ADE [DM-Crypt], data disks will be formatted. Therefore take the backup first if you are already using VM and then perform ADE.

If you have a Windows VM already provisioned with Data disk having data stored on it and if you perform ADE [BitLocker], data disks will NOT be formatted. However, recommended to always take the backup first if you are already using VM and then perform ADE.

In any scenario, OS drive is never formatted.

Whether your current VM is Linux or windows and has encrypted data disks, then while encryption of newly added data disks never cause any format operation on data disks which are already encrypted.

For linux, Any data disks that are not encrypted earlier and you do encryption using ADE then always Format happens for the first time. For Linux if you want any disks not to be encrypted, then unmount it always before encryption, remount after encryption is complete.

For Windows, Any data disks that are not encrypted earlier and you do encryption using ADE then also Format never happens, as for Windows BitLocker works in background.

•        As custom image based VMs are not supported, total provisioning time of VM increases. Also all hardening steps are recommended to be performed post VM ADE encryption completion. This adds to time required for ready VM.

•        For Linux, the data disks are always formatted when first time ADE encryption happens. So if VMs are already in use this proposes challenge.

•        If VM has 2 disks out of which 1 need to be encrypted and other need is not to be encrypted; you have unmount non encryption required disks and mount them back after encryption. This process will be required to be carried out everytime new disk is added to VM.

•        Individual folders can’t be backed up if VM is encrypted. You have to first decrypt VM and then take backup of individual folders. In this case you are forced to take entire VM backup even if it may not be business requirement.

•        ADE encrypted VMs can be restored from backup only in the same region and subscription.

•        During encryption operation if OS +data encryption is happening the minimum RAM required is 8GB. Post encryption RAM can be reduced, if business/ application demands lower VM configuration.

•        Only RHEL 7 images with PAYG are supported. Existing BYOL for RHEL is not supported for ADE.

•        Additional VM requirements - https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview#additional-vm-requirements

•        For key vault accessibility, if VM is not having internet access [which is the case in most of the org] aditional network requirements - https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview#networking-requirements

•        Not all OS dis07ibution of Linux are supported – refer - https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview#supported-vms-and-operating-systems

•        For group policy for windows VMs - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#group-policy-requirements

You can, but it may not integrate well with native azure services such as Azure backup vault and site recovery DR solution.

ADE and SSE are well integrated with all native Azure services and recommended approach for disk encryption.

You can certainly do that however please confirm from the 3^rd party provider that encryption used for individual folders will work with other azure services such as –

Azure Backup for VMs
Site recovery services

Performance is guaranteed for encryption and decryption process.

Both are free. You are charged only for Azure Key Vault operations, key storage if you are using CMK. If platform managed keys are used then there won’t be any charge.

<07>
SSE

ADE
<07>
This is most convenient to use and provides solution to most of the compliance needs.

If you are finance org and goes through ex07eme s07ingent compliance audit then opt for this. Always verify if your Security teams are okay with SSE; if not then use ADE on top of it.
<07>
Operational overheads are almost zero in this approach.

This approach increases operational overheads drastically.
<07>
The temp disks of Azure VM is not encrypted. So if you app running on VM uses temp disk for any operation then that data will not be encrypted.

Temp disks of Azure VM is also encrypted.

Hope this article helped you to get answers you are looking for. If you have any such questions but not answered; add your comments and I will 07y to give answers for them.

Refer another hit blog post on “Azure Virtual Machines – real world frequently asked questions – not easily answered.”

Happy questioning!!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.

Comments

Post a Comment

Popular posts from this blog

Operation on target Copy data failed: Failure happened on 'Source' side

July 30, 2020

A simple Pipeline created to fetch data by querying the Rest Api and dumping the data received in blob storage, failed with following error: Error Operation on target Copy data_From API failed: Failure happened on 'Source' side. ErrorCode=UserErrorHttpStatusCodeIndicatingFailure,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=The HttpStatusCode 400 indicates failure. {"errors":{"detail":"Internal server error"}},Source=Microsoft.DataTransfer.ClientLibrary,' Why it happened As the error says, something went wrong at source side however, I have tested the Rest API using postman and was able to get the response back with data. And I have reflected same in Source setting of Copy Data activity while creating the pipeline i.e. query, headers – content type and authorization etc Still getting the error, I rechecked again the keys,content type etc - no clue. Took hel

Read more

Run Android emulator and Android Studio on Azure VM using Hyper V

July 30, 2020

14 min to read. Due to Corona outbreak, times are hard! Please take care everyone! I wish good health for all! Stay safe! There is another outbreak I am seeing – Making Development environment available on Azure to enable Work from home. Almost in every customer call I hear about requirement to enable Development Environment on Azure and accessing it from Home laptop/ PC and continue the business. In the era of “Mobile first” almost every big enterprise, every Small and Medium Business (SMB), every Start up company have mobile development teams. They use variety of tools and one of the important IDE used for Mobile development is “Android Studio”. Installing and running Android studio is smooth; however Android emulator installation fails on Azure VM. It is not s07aight forward. In this blog we will see “how to enable Android emulator with Android Studio on Azure VM”. Let’s go! Without a virtualization technology and VM acceleration, the Android emulator must 0

Read more

The workflow with 'Response' action type should not have triggers with 'splitOn' property

July 30, 2020

While working on a POC about Debatching in Logic Apps using SplitOn , I was encountered with an below error when tried to add Response action in the workflow " Failed to save logic app DebatchXMLUsingSplitON. The workflow with 'Response' action type should not have triggers with 'splitOn' property defined: 'manual'. " Why it happened As I had to debatch an xml message, following xpath expression was provided to splitOn property xpath(xml(triggerBody()),'//*[local-name()="PurchaseOrder" and namespace-uri() ="http://www.adventure-works.com"]' ) So this property will make logic app to instantiate equivalent number of the instances as that of number of splitted message. Say, a batched message with 3 messages in it is posted to this Logic App, then 3 instances of logic app gets created. And this is the reason, why designer stops us when we try to a

Read more

Powered by Blogger

Report Abuse

RMags Mall

Visit profile

Archive

July 2020437