“Information protection” no wonder this word has been making big buzz around the world regardless of the business size. We have seen major cyber attacks, malware attacks which even cripple the Enterprise companies finically and reputation wise. So in this article I’m looking at one area of prevention solution offered by Microsoft team long time back. Now it’s extended to Microsoft Azure VM’s as well. Disk encryption is not a new term, we always had heard under Information Security practices consultants highlight how vital to back the data and keep them offshore. Same time they request this data to be encrypted in case fall into wrong hand.
But have you thought about how to protect running VM’s in your data-center or on Azure? Actually there are couple of ways you can approach or that. I recommend all of them in phase method based on your budget and time.
Hardware Security Module (HSM)
Virtual machine disk encryption
Virtual machine backup
Azure Site Recovery
Security policy management and reporting
List can be going on over the time with new addons . In this article I’ll describe how we can protect virtual machines using disk encryption technology. If you’re a HYPER-V fan then read about Shielded VM’s as an additional information.
Ok back to the main topic. This technology is referred as Azure Disk encryption which leverage Microsoft Bitlocker disk encryption. (I do hope now it makes sense to you all). Azure supports encrypting Windows VM’s using Bitlocker technology as well as Linux VM’s using dm-crypt feature which provides volume encryption for the OS and the data disks. All the disk encryption keys and secrets saved on Azure Vault on existing subscription. The data (or in our case VHD files) resides safely on the Azure storage. Read about Azure Key Vault technology here.
Disk encryption activity can be approached from several methods,
Picture credits to the Azure team
1. In case if you decided to upload a encrypted VM from your HYPER-V environment to Azure make sure to upload the VHD to storage account and copy the encryption key material to your key vault. Then, provide the encryption configuration to enable encryption on a new IaaS VM.
2. If you create the Azure VM from Azure marketplace template then just provide the encryption configuration to enable encryption on the IaaS VM.
3. In case if you’ve already created VM on subscription leveraging the Azure marketplace still you can follow the same steps thanks to Azure Security Center.
So let’s assume you already created the Azure VM using the marketplace and started using that for your requirement. Later stage you found out though Azure Security Center you’ve not followed the industry bet practices and it’s highlighting the potential security risk you’re exposed to. One scenario is disks are not encrypted!
As you can see I’ve 3 Azure hosted VM’s and they are having potential security issues and not enabling disk encryption is one of them. On this article I’ll focus on one VM (VM01) which is running server 2012 R2 enabling the disk encryption.
First things first you need to get Azure PowerShell modules setup to your desktop / laptop. You can download them from the Azure download page.
After that you’ll need to get a PowerShell script to do the job. You can get that script from here. Copy the script and save it with any name you prefer. Make sure it’s extension as PS1.
Now you need to open the script using PowerShell ISE.
When you run the script you need to provide following information (orderly manner)
Resource Group Name – This is the RG name where you’ve hosted your VMs
Key Vault Name – Place where your keys will be saved and protected. During the execution of the script it’ll ask for a Key vault. If you didn’t have one create just proceed and it will create a key vault automatically.
Location – Where you Resource Group location. In my scenario it would be “southeastasia”
Tip: notice there are no space between the name. This is very important to remember.
Azure Active Directory Application Name – This is for the Azure Active Directory application that will be used to write secrets to the Key Vault. If you haven’t created one script will create one for you.
Now you’re aware the information you need to provide. Let’s proceed with the execution of the script under PowerShell ISE
If you get above screen that mean phase 1 activity is completed
Now it’s time to get ready to target a VM and encrypt the disks. For this part you need to tell PowerShell which VM you’re targeting. In the PowerShell type below command
$vmName = “<VM name>”
Replace <VM Name> with your VM hosted in that resource group. In my case it’s $vmName = “VM01”
Now in the above PowerShell script line 185 highlight the command to encrypt the disks. Copy that and run it on the PowerShell window. Alternatively you can copy the command mentioned below.
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -VolumeType All
If things go smoothly you’ll get below message on your PowerShell window,
This process will take around 10-15 min time to complete. On above screenshot you can see the command execution and result completion is successful.
After that you can return the VM properties and check the disk status. you can see below both OS and Data disks has been encrypted.
So any given time you add more VM’s to that resource group all you have to do is target the VM name and run the command line given above.
Note: Disk encryption on Azure is a really good option but need to be weighted carefully. If you want to backup the encrypted VM’s then encrypting need to be completed using KEK method. For more in-depth of Azure IaaS disk encryption refer to this article.