What attack scenario(s) does it prevent or mitigate?
(Assume that no-one in the org needs access to the key vault)
What attack scenario(s) does it prevent or mitigate?
(Assume that no-one in the org needs access to the key vault)
@IainShepherd-0567 Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
It's a add extra layer of security, lets say if some knows the secret which is plain text then they can easily get the data from the secret and open the encrypted disk, when you use KEY, it wraps the secrets with the key, So that in order to retrieve the secret content you need to decode it using Key
Additional information: Encryption keys and secrets are safeguarded in your Azure Key Vault subscription. By using the Azure Backup service, you can back up and restore encrypted virtual machines (VMs) that use Key Encryption Key (KEK) configuration.
When you use client-side encryption with Key Vault, your data is encrypted using a one-time symmetric Content Encryption Key (CEK) that is generated by the Azure Storage client SDK. The CEK is encrypted using a Key Encryption Key (KEK), which can be either a symmetric key or an asymmetric key pair. You can manage it locally or store it in Key Vault. The encrypted data is then uploaded to Azure Storage.
When Server-side encryption with service-managed keys is used, the key creation, storage, and service access are all managed by the service. Typically, the foundational Azure resource providers will store the Data Encryption Keys in a store that is close to the data and quickly available and accessible while the Key Encryption Keys are stored in a secure internal store.
Advantages: Simple setup
Microsoft manages key rotation, backup, and redundancy
Customer does not have the cost associated with implementation or the risk of a custom key management scheme.
For more information: Refer to this article
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Thanks @Sumarigo-MSFT !
My question is about using a Key Encryption Key with Azure Disk Encryption to protect Bitlocker Encryption Keys.
lets say if some knows the secret which is plain text then they can easily get the data from the secret and open the encrypted disk, when you use KEY, it wraps the secrets with the key, So that in order to retrieve the secret content you need to decode it using Key
I will read the article, thanks!
I think it doesn't help because:
If attacker found BEK on the VM (hidden "Bek Volume") then it is already plain text - I think?
If attacker found BEK in key vault then they can just tell the key vault to unwrap it. The BEK secret even is tagged to tell exactly which KEK was used.
What am I missing?
@IainShepherd-0567 - Yes, it's plain in Operating system
- For key vault it's time consuming to get the right key
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
4 people are following this question.