Share via

VM protected with ADE and the key in Key Vault expires - expected outcome?

mij2020 366 Reputation points
2023-09-20T13:40:03.17+00:00

Hello,

We have Azure Disk Encryption enabled on our VMs.

The encryption key is stored in an Azure key vault and there is a corporate policy that keys and secrets must have expiry dates.

I tested to see what would happen to a VM when the key expired. The VM continued to function as normal, restarts and shutdown's all worked fine when the key had expired by a few hours.

If I disable the key, the VM cannot boot, but if it is enabled but expired all appears to work ok.

Is this expected? What are the expected outcomes of running an ADE protected VM with an expired key in KeyVault?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,239 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
162 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,461 Reputation points Microsoft Employee
    2023-09-21T21:31:14.3666667+00:00

    @mij2020

    Thank you for your post!

    I understand that you have a VM with Azure Disk Encryption (ADE) enabled and you're using a Key Encryption Key (KEK) to wrap the Secret. When testing ADE with an expired KEK, you noticed that your VM was functioning as expected even after a restart/shut down, but once the KEK was disabled your VM wasn't able to boot. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.

    Findings:

    It's possible that this is expected behavior - depending on when the restart/ shutdown operation occurred.

    In most cases, disk I/O (read or write operations) starts to fail one hour after a key is disabled, deleted, or expired. Therefore, a user won't immediately lose access to a VM encrypted with ADE, if the KEK expired later. This is because the Key is only used initially to unwrap (or wrap) the Secret used by the OS to unlock the disk.

    • Note: When a key is either disabled, deleted, or expired, any VMs with either OS or data disks using that key will automatically shut down. After the automated shut down, VMs won't boot until the key is enabled again, or you assign a new key.

    In your scenario, if your VM was operating as expected a few hours after the KEK expired, I'd recommend working closer with our ADE team so they can review your logs and take a closer look into what happened.

    • If you'd like to work closer with our ADE team on this, please let me know. I'd be happy to enable a one-time free technical support request for your subscription ID so you can get this issue resolved.

    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.