Server side encryption of Azure managed disks

Azure managed disks automatically encrypt your data by default when persisting it to the cloud. Server-side encryption protects your data and helps you meet your organizational security and compliance commitments. Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.

Encryption does not impact the performance of managed disks. There is no additional cost for the encryption.

For more information about the cryptographic modules underlying Azure managed disks, see Cryptography API: Next Generation

About encryption key management

You can rely on platform-managed keys for the encryption of your managed disk, or you can manage encryption using your own keys. If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all data in managed disks.

The following sections describe each of the options for key management in greater detail.

Platform-managed keys

By default, managed disks use platform-managed encryption keys. As of June 10, 2017, all new managed disks, snapshots, images, and new data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys.

Customer-managed keys

You can choose to manage encryption at the level of each managed disk, with your own keys. Server-side encryption for managed disks with customer-managed keys offers an integrated experience with Azure Key Vault. You can either import your RSA keys to your Key Vault or generate new RSA keys in Azure Key Vault. Azure managed disks handles the encryption and decryption in a fully transparent fashion using envelope encryption. It encrypts data using an AES 256 based data encryption key (DEK), which is, in turn, protected using your keys. You have to grant access to managed disks in your Key Vault to use your keys for encrypting and decrypting the DEK. This allows you full control of your data and keys. You can disable your keys or revoke access to managed disks at any time. You can also audit the encryption key usage with Azure Key Vault monitoring to ensure that only managed disks or other trusted Azure services are accessing your keys.

The following diagram shows how managed disks use Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:

Managed disk and customer-managed keys workflow. An admin creates an Azure Key Vault, then creates a disk encryption set, and sets up the disk encryption set. The Set is associated to a VM which allows the disk to make use of Azure AD to authenticate

The following list explains the diagram in even more detail:

  1. An Azure Key Vault administrator creates key vault resources.
  2. The key vault admin either imports their RSA keys to Key Vault or generate new RSA keys in Key Vault.
  3. That administrator creates an instance of Disk Encryption Set resource, specifying an Azure Key Vault ID and a key URL. Disk Encryption Set is a new resource introduced for simplifying the key management for managed disks.
  4. When a disk encryption set is created, a system-assigned managed identity is created in Azure Active Directory (AD) and associated with the disk encryption set.
  5. The Azure key vault administrator then grants the managed identity permission to perform operations in the key vault.
  6. A VM user creates disks by associating them with the disk encryption set. The VM user can also enable server-side encryption with customer-managed keys for existing resources by associating them with the disk encryption set.
  7. Managed disks use the managed identity to send requests to the Azure Key Vault.
  8. For reading or writing data, managed disks sends requests to Azure Key Vault to encrypt (wrap) and decrypt (unwrap) the data encryption key in order to perform encryption and decryption of the data.

To revoke access to customer-managed keys, see Azure Key Vault PowerShell and Azure Key Vault CLI. Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.

Supported regions

Only the following regions are currently supported:

  • Available as a GA offering in the East US, West US 2, and South Central US regions.
  • Available as a public preview in the West Central US, East US 2, Canada Central, and North Europe regions.

Restrictions

For now, customer-managed keys have the following restrictions:

  • Only "soft" and "hard" RSA keys of size 2080 are supported, no other keys or sizes.
  • Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.
  • Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
  • Custom images encrypted using server-side encryption and customer-managed keys cannot be used in the shared image gallery.
  • All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
  • Disks, snapshots, and images encrypted with customer-managed keys cannot move to another subscription.
  • If you use the Azure portal to create your disk encryption set, you cannot use snapshots for now.

CLI

Setting up your Azure Key Vault and DiskEncryptionSet

  1. Make sure that you have installed the latest Azure CLI and logged to an Azure account in with az login.

  2. Create an instance of Azure Key Vault and encryption key.

    When creating the Key Vault instance, you must enable soft delete and purge protection. Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). Purge protection ensures that a deleted key cannot be permanently deleted until the retention period lapses. These settings protect you from losing data due to accidental deletion. These settings are mandatory when using a Key Vault for encrypting managed disks.

    subscriptionId=yourSubscriptionID
    rgName=yourResourceGroupName
    location=WestCentralUS
    keyVaultName=yourKeyVaultName
    keyName=yourKeyName
    diskEncryptionSetName=yourDiskEncryptionSetName
    diskName=yourDiskName
    
    az account set --subscription $subscriptionId
    
    az keyvault create -n $keyVaultName -g $rgName -l $location --enable-purge-protection true --enable-soft-delete true
    
    az keyvault key create --vault-name $keyVaultName -n $keyName --protection software
    
  3. Create an instance of a DiskEncryptionSet.

    keyVaultId=$(az keyvault show --name $keyVaultName --query [id] -o tsv)
    
    keyVaultKeyUrl=$(az keyvault key show --vault-name $keyVaultName --name $keyName --query [key.kid] -o tsv)
    
    az disk-encryption-set create -n $diskEncryptionSetName -l $location -g $rgName --source-vault $keyVaultId --key-url $keyVaultKeyUrl
    
  4. Grant the DiskEncryptionSet resource access to the key vault.

    Note

    It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Azure Active Directory. If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again.

    desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv)
    
    az keyvault set-policy -n $keyVaultName -g $rgName --object-id $desIdentity --key-permissions wrapkey unwrapkey get
    
    az role assignment create --assignee $desIdentity --role Reader --scope $keyVaultId
    

Create a VM using a Marketplace image, encrypting the OS and data disks with customer-managed keys

rgName=yourResourceGroupName
vmName=yourVMName
location=WestCentralUS
vmSize=Standard_DS3_V2
image=UbuntuLTS 
diskEncryptionSetName=yourDiskencryptionSetName

diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)

az vm create -g $rgName -n $vmName -l $location --image $image --size $vmSize --generate-ssh-keys --os-disk-encryption-set $diskEncryptionSetId --data-disk-sizes-gb 128 128 --data-disk-encryption-sets $diskEncryptionSetId $diskEncryptionSetId

Encrypt existing unattached managed disks

Your existing disks must not be attached to a running VM in order for you to encrypt them using the following script:

rgName=yourResourceGroupName
diskName=yourDiskName
diskEncryptionSetName=yourDiskEncryptionSetName
 
az disk update -n $diskName -g $rgName --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set $diskEncryptionSetId

Create a virtual machine scale set using a Marketplace image, encrypting the OS and data disks with customer-managed keys

rgName=yourResourceGroupName
vmssName=yourVMSSName
location=WestCentralUS
vmSize=Standard_DS3_V2
image=UbuntuLTS 
diskEncryptionSetName=yourDiskencryptionSetName

diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)
az vmss create -g $rgName -n $vmssName --image UbuntuLTS --upgrade-policy automatic --admin-username azureuser --generate-ssh-keys --os-disk-encryption-set $diskEncryptionSetId --data-disk-sizes-gb 64 128 --data-disk-encryption-sets $diskEncryptionSetId $diskEncryptionSetId

Create an empty disk encrypted using server-side encryption with customer-managed keys and attach it to a VM

vmName=yourVMName
rgName=yourResourceGroupName
diskName=yourDiskName
diskSkuName=Premium_LRS
diskSizeinGiB=30
location=WestCentralUS
diskLUN=2
diskEncryptionSetName=yourDiskEncryptionSetName


diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)

az disk create -n $diskName -g $rgName -l $location --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set $diskEncryptionSetId --size-gb $diskSizeinGiB --sku $diskSkuName

diskId=$(az disk show -n $diskName -g $rgName --query [id] -o tsv)

az vm disk attach --vm-name $vmName --lun $diskLUN --ids $diskId 

Important

Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see Transferring a subscription between Azure AD directories.

Portal

Setting up customer-managed keys for your disks will require you to create resources in a particular order, if you're doing it for the first time. First, you will need to create and set up an Azure Key Vault.

Setting up your Azure Key Vault

  1. Sign into the Azure portal and search for Key Vault

  2. Search for and select Key Vaults.

    sse-key-vault-portal-search.png

    Important

    Your Azure key vault, disk encryption set, VM, disks, and snapshots must all be in the same region and subscription for deployment to succeed.

  3. Select +Add to create a new Key Vault.

  4. Create a new resource group

  5. Enter a key vault name, select a region, and select a pricing tier.

  6. Select Review + Create, verify your choices, then select Create.

    Screenshot of the Azure Key Vault creation experience. Showing the particular values you create

  7. Once your key vault finishes deploying, select it.

  8. Select Keys under Settings.

  9. Select Generate/Import

    Screenshot of the Key Vault resource settings pane. Shows the generate/import button inside settings.

  10. Leave both Key Type set to RSA and RSA Key Size set to 2080.

  11. Fill in the remaining selections as you like and then select Create.

    Screenshot of the create a key blade that appears once generate/import button is selected

Setting up your disk encryption set

To create and configure disk encryption sets, you must use the following link: https://aka.ms/diskencryptionsets. Disk encryption set creation is not yet available in the global Azure portal.

  1. Open the disk encryption sets link.

  2. Select +Add.

    Screenshot of the disk encryption portal main screen. Highlighting the Add button

  3. Select your resource group, name your encryption set, and select the same region as your key vault.

  4. Select Key vault and key.

  5. Select the key vault and key you created previously, as well as the version.

  6. Press Select.

  7. Select Review + Create and then Create.

    Screenshot of the disk encryption creation blade. Showing the subscription, resource group, disk encryption set name, region, and key vault + key selector.

  8. Open the disk encryption set once it finishes creating and select the alert that pops up.

    Screenshot of alert popup: 'To associate a disk, image, or snapshot with a disk encryption set, you must grant permissions to the key vault'. Select this alert to continue

Two notifications should pop up and succeed. Doing this will allow you to use the disk encryption set with your key vault.

Screenshot of successful permission and role assignment for your key vault.

Deploy a VM

Now that you've created and set up your key vault and the disk encryption set, you can deploy a VM using the encryption. The VM deployment process is similar to the standard deployment process, the only differences are that you need to deploy the VM in the same region as your other resources and you opt to use a customer managed key.

  1. Open the disk encryption sets link.

  2. Search for Virtual Machines and select + Add to create a VM.

  3. On the Basic tab, select the same region as your disk encryption set and Azure Key Vault.

  4. Fill in the other values on the Basic tab as you like.

    Screenshot of the VM creation experience, with the region value highlighted.

  5. On the Disks tab, select Encryption at rest with a customer-managed key.

  6. Select your disk encryption set in the Disk encryption set drop-down.

  7. Make the remaining selections as you like.

    Screenshot of the VM creation experience, the disks blade. With the disk encryption set drop-down highlighted.

Enable on an existing disk

To manage and configure disk encryption on your existing disks, you must use the following link: https://aka.ms/diskencryptionsets. Enabling customer-managed keys on existing disks is not yet available in the global Azure portal.

Caution

Enabling disk encryption on any disks attached to a VM will require that you stop the VM.

  1. Open the disk encryption sets link.

  2. Navigate to a VM which is in the same region as one of your disk encryption sets.

  3. Open the VM and select Stop.

    Screenshot of the main overlay for your example VM. With the Stop button highlighted

  4. After the VM has finished stopping, select Disks and then select the disk you want to encrypt.

    Screenshot of your example VM, with the Disks blade open. The OS disk is highlighted, as an example disk for you to select.

  5. Select Encryption and select Encryption at rest with a customer-managed key and then select your disk encryption set in the drop-down list.

  6. Select Save.

    Screenshot of your example OS disk. The encryption blade is open, encryption at rest with a customer-managed key is selected, as well as your example Azure Key Vault. After making those selections, the save button is selected.

  7. Repeat this process for any other disks attached to the VM you'd like to encrypt.

  8. When your disks finish switching over to customer-managed keys, if there are no there no other attached disks you'd like to encrypt, you may start your VM.

Important

Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see Transferring a subscription between Azure AD directories.

Server-side encryption versus Azure disk encryption

Azure Disk Encryption for virtual machines and virtual machine scale sets leverages the BitLocker feature of Windows and the DM-Crypt feature of Linux to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.

Next steps