Pages

Saturday, May 8, 2021

Azure Server-side Encryption (SSE) and Azure Disk Encryption (ADE) - Part 2 of 2

As a follow up to my previous post:

Azure Server-side Encryption (SSE) and Azure Disk Encryption (ADE) - Part 1 of 2
http://terenceluk.blogspot.com/2021/05/azure-server-side-encryption-sse-and.html

Where I wrote about Azure Server-side Encryption (SSE), this post will be dedicated to Azure Disk Encryption (ADE).

As always, I would like to provide links to the Microsoft documentation and highly suggest reading them:

Azure Disk Encryption for virtual machines and virtual machine scale sets
https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss

Azure Disk Encryption for Windows VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview

Azure Disk Encryption for Linux VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview

Create and configure a key vault for Azure Disk Encryption on a Windows VM
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault

Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release) for Linux VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault-aad

Given that SSE protects data at rest, it doesn’t provide protection when the data is in use because a virtualization host cannot read an encrypted VHD disk when attempting to run it so upon starting a virtual machine, the corresponding OS and any data disks will be unencrypted. The following diagram depicts this:

image

Before end-to-end encryption using encryption at host was available, to add a layer of protection to circumvent this risk, Azure Disk Encryption can be used. Azure Disk Encryption, also known as ADE, allows the disk to be encrypted at the operating system level. Furthermore, having ADE encrypt the disks at the OS level prevents any disks that are downloaded from Azure to be accessible.

The way in which ADE works is where encryption is enabled at the operation system level by leveraging Windows or Linux native encryption capabilities. The two operating system and the respective encryption technology Azure provides ADE are:

  1. Windows with BitLocker
  2. Linux with DM-Crypt

Azure Disk Encryption (ADE) is resilient to the zone-wide outages.

There are requirements for the supportability of ADE and they are as follow.

Windows with BitLocker

  • Not available on A-series VMs (not usually an issue as these aren’t used in production)
  • Minimum of 2GB required (typically not an issue as most VMs are allocated more than that)
  • VMs that does not have temp disks
    • Dv4, Dsv4, Ev4, and Esv4
  • Applying ADE to a VM that has disks encrypted with server-side encryption with customer-managed keys (SSE + CMK)
  • Applying SSE + CMK to a data disk on a VM encrypted with ADE
  • More unsupported scenarios can be found here: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows#unsupported-scenarios
  • Group policy requirements for domain joined VMs include:
    • Do not push any group policies that enforce TPM protectors
    • BitLocker policy on domain joined virtual machines with custom group policy must include the following setting: Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key
  • Azure Disk Encryption will fail if domain level group policy blocks the AES-CBC algorithm, which is used by BitLocker
  • Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets and require the key vault and VMs must reside in the same Azure region and subscription
  • The Windows VM must be able to connect to an Azure Active Directory endpoint, [login.microsoftonline.com] to get the token to connect to the key vault
  • The Windows VM must be able to connect to the key vault endpoint to write the encryption keys to the key vault

Requirements may change in the future and the above include highlights but not all of the requirements so please refer to the following documentation for the full list:

Azure Disk Encryption for Windows VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview

Linux with DM-Crypt

  • Not available on A-series VMs (not usually an issue as these aren’t used in production)
  • Minimum of 2GB is required when encrypting only data volumes
  • Minimum of 8GB when encrypting both data and OS volumes and where the root (/) file system usage is 4GB or less
  • When the data and OS volumes root (/) is great than 4GB then the minimum that will be required is root file system usage * 2. For instance, a 16 GB of root file system usage requires at least 32GB of RAM
  • Not all Linux OS are supported so ensure that the following table is referenced: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview#supported-operating-systems
  • The Linux VM must be able to connect to an Azure Active Directory endpoint, [login.microsoftonline.com] to get the token to connect to the key vault
  • The Linux VM must be able to connect to the key vault endpoint to write the encryption keys to the key vault

Requirements may change in the future and the above include highlights but not all of the requirements so please refer to the following documentation for the full list:

Azure Disk Encryption for Linux VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview

As stated in the requirements, the virtual machine, whether Windows or Linux, utilizes an extension to directly access to the Azure Key Vault to access encryption key for encrypting each drive. The following diagram depicts the disks and their interaction with the Azure Key Vault:

image

The Azure Key Vault natively does not allow direct access from the virtual machines and therefore require a flag to be turned on in order to allow access. The following is where this setting is turned on:

Azure Disk Encryption for volume encryption

Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.

image

Azure Backup Limitations with ADE

It is important to note that there are some limitations when backing up ADE disks with Azure backup and they are as follows:

  • You can back up and restore ADE encrypted VMs within the same subscription and region
  • Azure Backup supports VMs encrypted using standalone keys. Any key that's a part of a certificate used to encrypt a VM isn't currently supported
  • You can back up and restore ADE encrypted VMs within the same subscription and region as the Recovery Services Backup vault
  • ADE encrypted VMs can’t be recovered at the file/folder level. You need to recover the entire VM to restore files and folders
  • When restoring a VM, you can't use the replace existing VM option for ADE encrypted VMs. This option is only supported for unencrypted managed disks

Please refer to the following document for more details:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-encryption#encryption-support-using-ade

Server Side Encryption (SSE) compatibility

  • ADE can be paired with SSE with PMK
  • ADE cannot be paired with SSE with CMK

Summary

The following are key points to summarize ADE:

  • ADE allows encrypting OS, data and temp disks
  • Encrypting at the OS level effectively encrypts the cache as well
  • ADE provides protection against data access when VHDs are downloaded from Azure with methods such as Azure Storage Explorer
  • You cannot mix ADE with Disk Encryption Set (you can only use one or the other)
  • If Encryption at Host is not available then ADE is the only way to guarantee data is encrypted when disks are attached to the host
  • As ADE relies on the operating system to perform the encryption, turning it on will require the virtual machine to be turned on

Demo - Turning on ADE for Windows VM with PowerShell

The Azure Portal provides the ability to encrypt a VMs disk but I’ve found it to be a bit inconsistent when displaying the encryption status of the disks so the best method is to either use PowerShell or CLI.

The official documentation can be found here:

Enable encryption on an existing or running Windows VM

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows#enable-encryption-on-an-existing-or-running-windows-vm

The following is example of enabling encryption without specifying a KEK against a VM to encrypt all of the disks:

PS /home/terence> Remove-AzVMDiskEncryptionExtension -ResourceGroupName "RG-NewVNet" -VMName "Test-VM2"

Virtual machine extension removal operation

This cmdlet will remove the specified virtual machine extension. Do you want to continue?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

RequestId IsSuccessStatusCode StatusCode ReasonPhrase

--------- ------------------- ---------- ------------

True OK OK

PS /home/terence> $KVRGname = 'RG-VMs';

PS /home/terence> $VMRGName = 'RG-NewVNet';

PS /home/terence> $vmName = 'Test-VM2';

PS /home/terence> $KeyVaultName = 'Test-SSE-CMK';

PS /home/terence> $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;

PS /home/terence> $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;

PS /home/terence> $KeyVaultResourceId = $KeyVault.ResourceId;

PS /home/terence> Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;

Enable AzureDiskEncryption on the VM

This cmdlet prepares the VM and enables encryption which may reboot the machine and takes 10-15 minutes to finish. Please save your work on the VM before confirming. Do

you want to continue?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

RequestId IsSuccessStatusCode StatusCode ReasonPhrase

--------- ------------------- ---------- ------------

True OK OK

PS /home/terence>

image

The following is example of enabling encryption specifying a KEK against a VM to encrypt all of the disks:

PS /home/terence> $KVRGname = 'RG-VMs';

PS /home/terence> $VMRGName = 'RG-NewVNet';

PS /home/terence> $vmName = 'Test-VM2';

PS /home/terence> $KeyVaultName = 'Test-SSE-CMK';

PS /home/terence> $keyEncryptionKeyName = 'CMK-Key01';

PS /home/terence> $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;

PS /home/terence> $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;

PS /home/terence> $KeyVaultResourceId = $KeyVault.ResourceId;

PS /home/terence> $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;

PS /home/terence>

PS /home/terence> Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;

Enable AzureDiskEncryption on the VM

This cmdlet prepares the VM and enables encryption which may reboot the machine and takes 10-15 minutes to finish. Please save your work on the VM before confirming. Do

you want to continue?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

RequestId IsSuccessStatusCode StatusCode ReasonPhrase

--------- ------------------- ---------- ------------

True OK OK

PS /home/terence>

image

Demo - Turning on ADE for Windows VM with Azure Portal

The following is a demonstration of enabling ADE via the Azure portal on a virtual machine that does not have ADE turned on for both OS and data drive:

image

To enable ADE on a VM, simply navigate to the virtual machine, select Disks in the blade and then Additional settings.

image

Assuming that the virtual machine is turned on, the Disks to encrypt drop down menu will be configurable:

image

image

To proceed with encrypting the disks, select OS and data disks, the Key Vault, Key and Version of the key to use for the encryption:

image

Once complete, you will see the Encryption field labeled as SSE with PMK & ADE:

image

Navigating into the VM and reviewing the BitLocker settings will display the followings:

image

Disk Management will now have the (BitLocker Encrypted) tag attached to the OS, the Temporary Storage and Data drive:

image

An additional BeK Volume will also be created with no drive letter attached to it. For those who are not familiar with BitLocker, BEK stands for BitLocker Encryption Key and this volume contains the key to decrypt and boot up the virtual machine during its startup.

Note that new disks added to the VM will not automatically be encrypted:

image

To encrypt the disk, simply stop and deallocated the VM, then power it back on.

image

I’ve noticed that sometimes the Azure portal doesn’t reflect that the newly added disk has ADE enabled so it is best to log into the VM to check if the portal still indicates it does not have ADE enabled:

image

Lastly, you may find that a newly attached disk does not get encrypted by ADE even after stopping and deallocating it. One of the possible causes is if the disk has not been initialized and assigned a drive letter as BitLocker will not be able to encrypt disks that aren’t configured to be used.

VMs with SSE with PMK and SSE with CMK disks

VMs with a mix of SSE with PMK and SSE with CMK will not be able to have ADE enabled:

image

You’ll notice the following warning message when attempting to encrypt the disks:

image

The details of the virtual machine image are not known and may not be currently supported for ADE. Please be aware that the operation may fail if the VM image is not currently supported. Learn more

image

Proceeding to encrypt the disks will fail:

image

Failed to update disk encryption settings

Failed to update disk encryption settings for Test-VM. Error: There was an error processing your request. Try again in a few moments.

Disabling ADE

I’ve tried disabling ADE from the Azure portal with mixed results and would not suggest doing so as you’ll likely end up using PowerShell to fix it. The following are the commands to disable ADE, then remove the extenson on the VM. The latter part is important as not doing so could cause the Azure Portal to report the encryption status of the virtual machine incorrectly (https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-troubleshooting#troubleshooting-encryption-status).

To documentation for disabling ADE with PowerShell, CLI or with a Resource Manager template can be found here: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows#disable-encryption

PS /home/terence> Disable-AzVMDiskEncryption -ResourceGroupName 'RG-NewVNet' -VMName 'Test-VM2' -VolumeType "all"

Disable AzureDiskEncryption on the VM

This cmdlet disables encryption on the VM which may reboot the machine. Please save your work on the VM before confirming. Do you want to continue?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

RequestId IsSuccessStatusCode StatusCode ReasonPhrase

--------- ------------------- ---------- ------------

True OK OK

PS /home/terence> Remove-AzVMDiskEncryptionExtension -ResourceGroupName "RG-NewVNet" -VMName "Test-VM2"

Virtual machine extension removal operation

This cmdlet will remove the specified virtual machine extension. Do you want to continue?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

RequestId IsSuccessStatusCode StatusCode ReasonPhrase

--------- ------------------- ---------- ------------

True OK OK

PS /home/terence>

image

Hope this post is able to help anyone who may be looking for more information about how ADE works and what the enabling and disabling looks like.

No comments: