Today, we're announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers already benefit from SSE with platform-managed keys for Managed Disks enabled by default. SSE with CMK improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need.
Today, customers can also use Azure Disk Encryption, which leverages the Windows BitLocker feature and the Linux dm-crypt feature to encrypt Managed Disks with CMK within the guest virtual machine (VM). SSE with CMK improves on Azure Disk encryption by enabling you to use any OS types and images, including custom images, for your VMs by encrypting data in the Azure Storage service.
SSE with CMK is integrated with Azure Key Vault, which provides highly available and scalable secure storage for your keys backed by Hardware Security Modules. You can either bring your own keys (BYOK) to your Key Vault or generate new keys in the Key Vault.
About the key management
Managed Disks are encrypted and decrypted transparently using 256-bit Advanced Encryption Standard (AES) encryption, one of the strongest block ciphers available. The Storage service handles the encryption and decryption in a fully transparent fashion using envelope encryption. It encrypts data using 256-bit AES-based data encryption keys, which are, in turn, protected using your keys stored in a Key Vault.
The Storage service generates data encryption keys and encrypts them with CMK using RSA encryption. The envelope encryption allows you to rotate (change) your keys periodically as per your compliance policies without impacting your VMs. When you rotate your keys, the Storage service re-encrypts the data encryption keys with the new CMK.
Full control of your keys
You are in full control of your keys in your Key Vault. Managed Disks uses system-assigned managed identity in your Azure Active Directory (Azure AD) for accessing keys in Key Vault. An administrator with required permissions in the Key Vault must first grant access to Managed Disks in Key Vault to use the keys for encrypting and decrypting the data encryption key. You can prevent Managed Disks from accessing your keys by either disabling your keys or by revoking access controls for your keys—doing so for disks attached to running VMs will cause the VMs to fail. Moreover, you can track the key usage through Key Vault monitoring to ensure that only Managed Disks or other trusted Azure services are accessing your keys.
Availability of SSE with CMK
SSE with CMK is available for Standard HDD, Standard SSD, and Premium SSD Managed Disks that can be attached to Azure Virtual Machines and VM scale sets. Ultra Disk Storage support will be announced separately. SSE with CMK is now enabled in all the public and Azure Government regions and will be available in the regions in Germany (Sovereign) and China in a few weeks.
You can use Azure Backup to back up your VMs using Managed Disks encrypted with SSE with CMK. Also, you can choose to encrypt the backup data in your Recovery Services vaults using your keys stored in your Key Vault instead of platform-managed keys available by default. Refer to documentation for more details on the encryption of backups using CMK.
You can use Azure Site Recovery to replicate your Azure virtual machines that have Managed Disks encrypted with SSE with CMK to other Azure regions for disaster recovery. You can also replicate your on-premises virtual machines to Managed Disks encrypted with SSE with CMK in Azure. Learn more about replicating your virtual machines using Managed Disks encrypted with SSE with CMK.
To enable the encryption with CMK for Managed Disks, you must first create an instance of a new resource type called DiskEncryptionSet and then grant the instance access to the key Vault. DiskEncryptionSet represents a key in your Key Vault and allows you to reuse the same key for encrypting many disks, snapshots, and images with the same key.
Let’s look at an example of creating an instance of DiskEncryptionSet:
1. Create an instance of DiskEncryptionSet by specifying a key in your Key Vault.
keyVaultId=$(az keyvault show --name yourKeyVaultName --query [id] -o tsv)
keyVaultKeyUrl=$(az keyvault key show --vault-name yourKeyVaultName --name yourKeyName --query [key.kid] -o tsv)
az disk-encryption-set create -n yourDiskEncryptionSetName -l WestCentralUS -g yourResourceGroupName --source-vault $keyVaultId --key-url $keyVaultKeyUrl
2. Grant the instance access to the Key Vault. When you created the instance, the system automatically created a system-assigned managed identity in your Azure AD and associated the identity with the instance. The identity must have access to the Key Vault to perform required operations such as wrapkey, unwrapkey and get.
desIdentity=$(az disk-encryption-set show -n yourDiskEncryptionSetName -g yourResourceGroupName --query [identity.principalId] -o tsv)
az keyvault set-policy -n yourKeyVaultName -g yourResourceGroupName --object-id $desIdentity --key-permissions wrapkey unwrapkey get
az role assignment create --assignee $desIdentity --role Reader --scope $keyVaultId
You are ready to enable the encryption for disks, snapshots, and images by associating them with the instance of DiskEncryptionSet. There is no restriction on the number of resources that can be associated with the same DiskEncryptionSet.
Let’s look at an example of enabling for an existing disk:
1. To enable the encryption for disks attached to a VM, you must stop(deallocate) a virtual machine.
az vm stop --resource-group MyResourceGroup --name MyVm
2. Enable the encryption for an attached disk by associating it with the instance of DiskEncryptionSet.
diskEncryptionSetId=$(az disk-encryption-set show -n yourDiskEncryptionSetName -g yourResourceGroupName --query [id] -o tsv)
az disk update -n yourDiskEncryptionSetName -g yourResourceGroupName --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set $diskEncryptionSetId
3. Start the VM.
az vm start -g MyResourceGroup -n MyVm
Refer to the Managed Disks documentation for detailed instructions on enabling server side encryption with CMK for Managed Disks.
Send us your feedback
We look forward to hearing your feedback for SSE with CMK. Please email us here.