As you may already have seen, the Azure Security Center will recommend you to Encrypt your Azure Storage Accounts and/or Disks.
So, what are your options?
Encrypt your entire Storage account (SSE, Storage Service Encryption)
- Easy to setup! Just enable ‘SSE’ and you are done!
- Keys etc. are all managed by Microsoft!
- Exsisting Data is not Encrypted
- Only new data is Encrypted (new writes)
- Only ARM Storage Accounts! (does not support ASM)
- Supports Blob and File Storage
- When reading data from Azure Storage Accounut with SSE, it will be decrypted by the storage service before being returned.
Encrypt your Azure Disks (VHD’s) with Azure Disk Encryption
- Can be hard to setup/configure. make appropriate choices based on your (compliance) needs
- This will enable Bitlocker inside your VM’s
- Both ARM and ASM are supported
- You can manage which VM to encrypt or not
- Needs a Key Vault, this service helps you to encrypt and keeps keys and secrets, including storage account keys, data encryption keys, files, etc.
Azure Storage Service Encryption (SSE) steps:
Before creating VM’s, create an Storage Account first with Encryption Enabled! Remember that only new data (new writes) are encrypted when SSE is enabled.
When you create a new Storage Account you have the option to enable Storage Service Encryption (SSE) directly. Just Create a Storage Account as you should normally do and edit the settings:
After creating the Storage Account, create a new VM and select this Storage Account.
Notes about SSE:
- Encryption of classic storage accounts is not supported.
- Existing Data – SSE only encrypts newly created data after the encryption is enabled. If for example you create a new Resource Manager storage account but don’t turn on encryption, and then you upload blobs or archived VHDs to that storage account and then turn on SSE, those blobs will not be encrypted unless they are rewritten or copied.
- Marketplace Support – Enable encryption of VMs created from the Marketplace using the Azure portal, PowerShell, and Azure CLI. The VHD base image will remain unencrypted; however, any writes done after the VM has spun up will be encrypted.
- Table and Queues data will not be encrypted.
- This feature is used to encrypt data in Azure Blob storage. The Azure Disk Encryption is used to encrypt OS and Data disks in IaaS VMs
Azure Disk Encryption (ADE) steps:
- Setup a Application in your Azure AD (to get your Application ID and AADClientID)
- Create and Setup a KeyVault
- Configure KeyVault to enable Disk Encryption
- Configure KeyVault permission to allow your Azure AD application (SPN) to encrypt disk
After setting up your encryption environment, use the following templates to encrypt your new or exsisting VM’s:
- Use this template (GIT) to Encrypt Existing VM’s
- Use this template (GIT) to encrypt new VM’s created from a gallery image
Ok, lets start!
First create a Application in your Azure AD. Go to your Azure AD in the Azure Portal and Create a ‘New Application Registration’:
Just give your Azure AD Application a name. Select ‘Web App / API’ as the Application Type. Also enter a URL in the ‘Sign-on URL’, this can be anything; does not matter what, it is only for your own reference. click ‘Save’
There it is! your Azure AD Application!
Select the Application you just have created and select ‘Keys’. Enter a ‘description’ and select a Expiration time (1 year = default), and hit ‘save’
Copy the KEY and save it!, you will need it to enable encryption on you disks when creating new VM’s or encrypting exsisting VM’s etc.
Done! You have created your SPN (Azure AD Application) which needs access to your KeyVault.
Create an Key Vault. Just give it a name and assign or create a new resource group. Select ‘Enable Access to Azure Disk Encryption for volume encryption’ at ‘Advanced access policy’!
When created open the newly created Key Vault and select ‘Access Policies’:
On ‘Select Principal’ tab, search your Azure AD Application (SPN).
On ‘key Permissions’ select ‘Wrap Key’
On ‘Secret permissions’ select ‘Set’
Done! This was a ‘one time’ setup, you are now ready to create new VM’s with encrypted disks or encrypt exsisting disks.
Keep in mind that you must Always use the templates mentioned above!
For this blog I will show you how to encrypt a exsisting disk (VM):
Just open the link and select ‘Deply in Azure’:
This will open the Azure Portal and requesting you to enter the remaining details (Parameters)
- VM name = Just the VM name you want to encrypt
- AAD Client ID = the Azure AD Application ID (same as Client ID)
- AAD Client Secret = this is the key you have create in the Azure AD Application
- Key vault name = your Key Vault name
- Key vault resource group = the resources group where you Key Vault resides in
- Use KEK / and KEK url = In this example ‘NoKEK’
- Volume type = All, OS or DATA (in this example just ALL)
- Sequence version = just 1.0 (if you need to re-encrypt this disk, make it 2.0 and so on)
When you apply the above template, your VM will be rebooted and Encryption will be setup
After reboot, login to your VM and check the disk status (check the BitLocker locks):
In the Azure Portal you can check the status on the ‘Virtual Machines’ blades (maybe you have to add the collum ‘disk encryption’:
Also check the VM ‘Extensions’ blade:
And, off course, you could also check the status via PowerShell:
Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName RG-VM01 -VMName VM01
OsVolumeEncrypted : Encrypted
DataVolumesEncrypted : Encrypted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : OsVolume: Encrypted, DataVolumes: Encrypted
Notes about ADE:
- The Azure Disk Encryption solution uses the BitLocker external key protector for Windows IaaS VMs. For domain joined VMs, DO NOT push any group policies that enforce TPM protectors. For information about the group policy for “Allow BitLocker without a compatible TPM,”
- To use the Azure Backup service to back up and restore encrypted VMs, when encryption is enabled with Azure Disk Encryption, encrypt your VMs by using the Azure Disk Encryption key configuration. The Backup service supports VMs that are encrypted using KEK configuration only.