question

IainShepherd-0567 avatar image
0 Votes"
IainShepherd-0567 asked SumanthMarigowda-MSFT edited

Why use a Key Encryption Key (KEK)?

What attack scenario(s) does it prevent or mitigate?

(Assume that no-one in the org needs access to the key vault)

azure-disk-encryption
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SumanthMarigowda-MSFT avatar image
1 Vote"
SumanthMarigowda-MSFT answered SumanthMarigowda-MSFT edited

@IainShepherd-0567 Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

It's a add extra layer of security, lets say if some knows the secret which is plain text then they can easily get the data from the secret and open the encrypted disk, when you use KEY, it wraps the secrets with the key, So that in order to retrieve the secret content you need to decode it using Key

Additional information: Encryption keys and secrets are safeguarded in your Azure Key Vault subscription. By using the Azure Backup service, you can back up and restore encrypted virtual machines (VMs) that use Key Encryption Key (KEK) configuration.

When you use client-side encryption with Key Vault, your data is encrypted using a one-time symmetric Content Encryption Key (CEK) that is generated by the Azure Storage client SDK. The CEK is encrypted using a Key Encryption Key (KEK), which can be either a symmetric key or an asymmetric key pair. You can manage it locally or store it in Key Vault. The encrypted data is then uploaded to Azure Storage.

When Server-side encryption with service-managed keys is used, the key creation, storage, and service access are all managed by the service. Typically, the foundational Azure resource providers will store the Data Encryption Keys in a store that is close to the data and quickly available and accessible while the Key Encryption Keys are stored in a secure internal store.

Advantages: Simple setup
Microsoft manages key rotation, backup, and redundancy
Customer does not have the cost associated with implementation or the risk of a custom key management scheme.

For more information: Refer to this article

Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.


Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @Sumarigo-MSFT !

My question is about using a Key Encryption Key with Azure Disk Encryption to protect Bitlocker Encryption Keys.

lets say if some knows the secret which is plain text then they can easily get the data from the secret and open the encrypted disk, when you use KEY, it wraps the secrets with the key, So that in order to retrieve the secret content you need to decode it using Key

I will read the article, thanks!

I think it doesn't help because:

  • If attacker found BEK on the VM (hidden "Bek Volume") then it is already plain text - I think?

  • If attacker found BEK in key vault then they can just tell the key vault to unwrap it. The BEK secret even is tagged to tell exactly which KEK was used.

What am I missing?

0 Votes 0 ·

@IainShepherd-0567 - Yes, it's plain in Operating system
- For key vault it's time consuming to get the right key


Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.




1 Vote 1 ·