As a follow up to my previous post:
Azure Server-side Encryption (SSE) and Azure Disk Encryption (ADE) – Part 1 of 2
https://blog.terenceluk.com/2021/05/azure-server-side-encryption-sse-and.html
Where I wrote about Azure Server-side Encryption (SSE), this post will be dedicated to Azure Disk Encryption (ADE).
As always, I would like to provide links to the Microsoft documentation and highly suggest reading them:
Azure Disk Encryption for virtual machines and virtual machine scale sets
https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss
Azure Disk Encryption for Windows VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview
Azure Disk Encryption for Linux VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
Create and configure a key vault for Azure Disk Encryption on a Windows VM
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault
Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release) for Linux VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault-aad
Given that SSE protects data at rest, it doesn’t provide protection when the data is in use because a virtualization host cannot read an encrypted VHD disk when attempting to run it so upon starting a virtual machine, the corresponding OS and any data disks will be unencrypted. The following diagram depicts this:
Before end-to-end encryption using encryption at host was available, to add a layer of protection to circumvent this risk, Azure Disk Encryption can be used. Azure Disk Encryption, also known as ADE, allows the disk to be encrypted at the operating system level. Furthermore, having ADE encrypt the disks at the OS level prevents any disks that are downloaded from Azure to be accessible.
The way in which ADE works is where encryption is enabled at the operation system level by leveraging Windows or Linux native encryption capabilities. The two operating system and the respective encryption technology Azure provides ADE are:
- Windows with BitLocker
- Linux with DM-Crypt
Azure Disk Encryption (ADE) is resilient to the zone-wide outages.
There are requirements for the supportability of ADE and they are as follow.
Windows with BitLocker
- Not available on A-series VMs (not usually an issue as these aren’t used in production)
- Minimum of 2GB required (typically not an issue as most VMs are allocated more than that)
- VMs that does not have temp disks
- Dv4, Dsv4, Ev4, and Esv4
- Applying ADE to a VM that has disks encrypted with server-side encryption with customer-managed keys (SSE + CMK)
- Applying SSE + CMK to a data disk on a VM encrypted with ADE
- More unsupported scenarios can be found here: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows#unsupported-scenarios
- Group policy requirements for domain joined VMs include:
- Do not push any group policies that enforce TPM protectors
- BitLocker policy on domain joined virtual machines with custom group policy must include the following setting: Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key
- Azure Disk Encryption will fail if domain level group policy blocks the AES-CBC algorithm, which is used by BitLocker
- Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets and require the key vault and VMs must reside in the same Azure region and subscription
- The Windows VM must be able to connect to an Azure Active Directory endpoint, [login.microsoftonline.com] to get the token to connect to the key vault
- The Windows VM must be able to connect to the key vault endpoint to write the encryption keys to the key vault
Requirements may change in the future and the above include highlights but not all of the requirements so please refer to the following documentation for the full list:
Azure Disk Encryption for Windows VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview
Linux with DM-Crypt
- Not available on A-series VMs (not usually an issue as these aren’t used in production)
- Minimum of 2GB is required when encrypting only data volumes
- Minimum of 8GB when encrypting both data and OS volumes and where the root (/) file system usage is 4GB or less
- When the data and OS volumes root (/) is great than 4GB then the minimum that will be required is root file system usage * 2. For instance, a 16 GB of root file system usage requires at least 32GB of RAM
- Not all Linux OS are supported so ensure that the following table is referenced: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview#supported-operating-systems
- The Linux VM must be able to connect to an Azure Active Directory endpoint, [login.microsoftonline.com] to get the token to connect to the key vault
- The Linux VM must be able to connect to the key vault endpoint to write the encryption keys to the key vault
Requirements may change in the future and the above include highlights but not all of the requirements so please refer to the following documentation for the full list:
Azure Disk Encryption for Linux VMs
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
As stated in the requirements, the virtual machine, whether Windows or Linux, utilizes an extension to directly access to the Azure Key Vault to access encryption key for encrypting each drive. The following diagram depicts the disks and their interaction with the Azure Key Vault:
The Azure Key Vault natively does not allow direct access from the virtual machines and therefore require a flag to be turned on in order to allow access. The following is where this setting is turned on:
Azure Disk Encryption for volume encryption
Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
Azure Backup Limitations with ADE
It is important to note that there are some limitations when backing up ADE disks with Azure backup and they are as follows:
- You can back up and restore ADE encrypted VMs within the same subscription and region
- Azure Backup supports VMs encrypted using standalone keys. Any key that’s a part of a certificate used to encrypt a VM isn’t currently supported
- You can back up and restore ADE encrypted VMs within the same subscription and region as the Recovery Services Backup vault
- ADE encrypted VMs can’t be recovered at the file/folder level. You need to recover the entire VM to restore files and folders
- When restoring a VM, you can’t use the replace existing VM option for ADE encrypted VMs. This option is only supported for unencrypted managed disks
Please refer to the following document for more details:
Server Side Encryption (SSE) compatibility
- ADE can be paired with SSE with PMK
- ADE cannot be paired with SSE with CMK
Summary
The following are key points to summarize ADE:
- ADE allows encrypting OS, data and temp disks
- Encrypting at the OS level effectively encrypts the cache as well
- ADE provides protection against data access when VHDs are downloaded from Azure with methods such as Azure Storage Explorer
- You cannot mix ADE with Disk Encryption Set (you can only use one or the other)
- If Encryption at Host is not available then ADE is the only way to guarantee data is encrypted when disks are attached to the host
- As ADE relies on the operating system to perform the encryption, turning it on will require the virtual machine to be turned on
Demo – Turning on ADE for Windows VM with PowerShell
The Azure Portal provides the ability to encrypt a VMs disk but I’ve found it to be a bit inconsistent when displaying the encryption status of the disks so the best method is to either use PowerShell or CLI.
The official documentation can be found here:
Enable encryption on an existing or running Windows VM
The following is example of enabling encryption without specifying a KEK against a VM to encrypt all of the disks:
PS /home/terence> Remove-AzVMDiskEncryptionExtension -ResourceGroupName “RG-NewVNet” -VMName “Test-VM2”
Virtual machine extension removal operation
This cmdlet will remove the specified virtual machine extension. Do you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): y
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
——— ——————- ———- ————
True OK OK
PS /home/terence> $KVRGname = ‘RG-VMs’;
PS /home/terence> $VMRGName = ‘RG-NewVNet’;
PS /home/terence> $vmName = ‘Test-VM2’;
PS /home/terence> $KeyVaultName = ‘Test-SSE-CMK’;
PS /home/terence> $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
PS /home/terence> $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
PS /home/terence> $KeyVaultResourceId = $KeyVault.ResourceId;
PS /home/terence> Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;
Enable AzureDiskEncryption on the VM
This cmdlet prepares the VM and enables encryption which may reboot the machine and takes 10-15 minutes to finish. Please save your work on the VM before confirming. Do
you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
——— ——————- ———- ————
True OK OK
PS /home/terence>
The following is example of enabling encryption specifying a KEK against a VM to encrypt all of the disks:
PS /home/terence> $KVRGname = ‘RG-VMs’;
PS /home/terence> $VMRGName = ‘RG-NewVNet’;
PS /home/terence> $vmName = ‘Test-VM2’;
PS /home/terence> $KeyVaultName = ‘Test-SSE-CMK’;
PS /home/terence> $keyEncryptionKeyName = ‘CMK-Key01’;
PS /home/terence> $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
PS /home/terence> $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
PS /home/terence> $KeyVaultResourceId = $KeyVault.ResourceId;
PS /home/terence> $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
PS /home/terence>
PS /home/terence> Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;
Enable AzureDiskEncryption on the VM
This cmdlet prepares the VM and enables encryption which may reboot the machine and takes 10-15 minutes to finish. Please save your work on the VM before confirming. Do
you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
——— ——————- ———- ————
True OK OK
PS /home/terence>
Demo – Turning on ADE for Windows VM with Azure Portal
The following is a demonstration of enabling ADE via the Azure portal on a virtual machine that does not have ADE turned on for both OS and data drive:
To enable ADE on a VM, simply navigate to the virtual machine, select Disks in the blade and then Additional settings.
Assuming that the virtual machine is turned on, the Disks to encrypt drop down menu will be configurable:
To proceed with encrypting the disks, select OS and data disks, the Key Vault, Key and Version of the key to use for the encryption:
Once complete, you will see the Encryption field labeled as SSE with PMK & ADE:
Navigating into the VM and reviewing the BitLocker settings will display the followings:
Disk Management will now have the (BitLocker Encrypted) tag attached to the OS, the Temporary Storage and Data drive:
An additional BeK Volume will also be created with no drive letter attached to it. For those who are not familiar with BitLocker, BEK stands for BitLocker Encryption Key and this volume contains the key to decrypt and boot up the virtual machine during its startup.
Note that new disks added to the VM will not automatically be encrypted:
To encrypt the disk, simply stop and deallocated the VM, then power it back on.
I’ve noticed that sometimes the Azure portal doesn’t reflect that the newly added disk has ADE enabled so it is best to log into the VM to check if the portal still indicates it does not have ADE enabled:
Lastly, you may find that a newly attached disk does not get encrypted by ADE even after stopping and deallocating it. One of the possible causes is if the disk has not been initialized and assigned a drive letter as BitLocker will not be able to encrypt disks that aren’t configured to be used.
VMs with SSE with PMK and SSE with CMK disks
VMs with a mix of SSE with PMK and SSE with CMK will not be able to have ADE enabled:
You’ll notice the following warning message when attempting to encrypt the disks:
The details of the virtual machine image are not known and may not be currently supported for ADE. Please be aware that the operation may fail if the VM image is not currently supported. Learn more
Proceeding to encrypt the disks will fail:
Failed to update disk encryption settings
Failed to update disk encryption settings for Test-VM. Error: There was an error processing your request. Try again in a few moments.
Disabling ADE
I’ve tried disabling ADE from the Azure portal with mixed results and would not suggest doing so as you’ll likely end up using PowerShell to fix it. The following are the commands to disable ADE, then remove the extenson on the VM. The latter part is important as not doing so could cause the Azure Portal to report the encryption status of the virtual machine incorrectly (https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-troubleshooting#troubleshooting-encryption-status).
To documentation for disabling ADE with PowerShell, CLI or with a Resource Manager template can be found here: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows#disable-encryption
PS /home/terence> Disable-AzVMDiskEncryption -ResourceGroupName ‘RG-NewVNet’ -VMName ‘Test-VM2’ -VolumeType “all”
Disable AzureDiskEncryption on the VM
This cmdlet disables encryption on the VM which may reboot the machine. Please save your work on the VM before confirming. Do you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
——— ——————- ———- ————
True OK OK
PS /home/terence> Remove-AzVMDiskEncryptionExtension -ResourceGroupName “RG-NewVNet” -VMName “Test-VM2”
Virtual machine extension removal operation
This cmdlet will remove the specified virtual machine extension. Do you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): y
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
——— ——————- ———- ————
True OK OK
PS /home/terence>
Hope this post is able to help anyone who may be looking for more information about how ADE works and what the enabling and disabling looks like.
