lacework-global-635
7.2 Encrypt 'OS and Data' disks with Customer Managed Key (CMK) (Automated)
Profile Applicability
• Level 2
Description
Encrypt OS disks (boot volumes) and data disks (non-boot volumes) with CMK (Customer Managed Keys). Customer Managed keys can be either Azure Disk Encryption (ADE) or Server Side Encryption (SSE).
Rationale
Encrypting the IaaS VM's OS disk (boot volume) and Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads. PMK (Platform Managed Keys) are enabled by default in Azure-managed disks and allow encryption at rest. CMK is recommended because it gives the customer the option to control which specific keys are used for the encryption and decryption of the disk. The customer can then change keys and increase security by disabling them instead of relying on the PMK key that remains unchanging. There is also the option to increase security further by using automatically rotating keys so that access to disk is ensured to be limited. Organizations should evaluate what their security requirements are, however, for the data stored on the disk. For high-risk data using CMK is a must, as it provides extra steps of security. If the data is low risk, PMK is enabled by default and provides sufficient data security.
Impact
Using CMK/BYOK will entail additional management of keys.
NOTE: You must have your key vault set up to utilize this.
Audit
From Azure Console
- Go to
Virtual machines - For each virtual machine, go to
Settings - Click on
Disks - Ensure that the
OS diskandData diskshave encryption set to CMK.
Using Azure PowerShell
$ResourceGroupName="yourResourceGroupName"
$DiskName="yourDiskName"
$disk=Get-AzDisk -ResourceGroupName $ResourceGroupName -DiskName $DiskName
$disk.Encryption.Type
Remediation
From Azure Console
You must detach disks from VMs to have encryption changed.
- Go to Virtual machines.
- For each virtual machine, go to Settings.
- Click Disks.
- Click the ellipsis, then click Detach to detach the disk from the VM.
- Now search for Disks and locate the unattached disk.
- Click the disk then select Encryption.
- Change your encryption type, then select your encryption set.
- Click Save.
- Go back to the VM and re-attach the disk.
Using Azure PowerShell
$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;
NOTE: During encryption a reboot may occur. It can take up to 15 minutes to complete the process.
NOTE 2: This may differ for Linux machines as you may need to set the -skipVmBackup parameter
References
https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss
https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json
https://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart
https://docs.microsoft.com/en-us/rest/api/compute/disks/delete
https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell
https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption