Securing VM disks in Azure

One topic that comes up with clients is how to secure VM’s in Azure, when you have no control over the physical environment. While this might seem like an impossible task, it isn’t hard with Azure.

It is obvious that Microsoft cannot guarantee that only your employees will have physical access to your servers, so how do you stop someone from stealing your data? Now, this isn’t that huge in the grand scheme of things, as your servers and data might not be located in the same rack, or even in the same data center, so a malicious actor will have a really hard time figuring out where your data really lives, although it isn’t impossible. And as any security guy will tell you, if someone can obtain physical access to your hardware, they have everything.

Now the good news: Even if someone figured out where your drives are located, they are still encrypted at-rest by default. Azure has, since June 2017, encrypted all data using Storage Service Encryption (SSE), using AES 256-bit encryption. This is enabled by default and cannot be disabled. The keys for SSE are generated by Azure automatically and managed by Microsoft, but if required you can use your own encryption keys by utilizing an Azure Key Vault, by using the PowerShell Script below.

$storageAccount = Get-AzStorageAccount -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount"

$keyVault = Get-AzKeyVault -VaultName "mykeyvault"

$key = Get-AzureKeyVaultKey -VaultName $keyVault.VaultName -Name "keytoencrypt"

Set-AzKeyVaultAccessPolicy `

-VaultName $keyVault.VaultName `

-ObjectId $storageAccount.Identity.PrincipalId `

-PermissionsToKeys wrapkey,unwrapkey,get

Set-AzStorageAccount -ResourceGroupName $storageAccount.ResourceGroupName `

-AccountName $storageAccount.StorageAccountName `

-KeyvaultEncryption `

-KeyName $key.Name `

-KeyVersion $key.Version `

-KeyVaultUri $keyVault.VaultUri

But this isn’t normally enough, as a VM stores everything in a virtual disk which can still be opened and read by anyone with access to the image file. So how can you ensure the contents are protected? Azure Disk Encryption (ADE) can encrypt the contents of a virtual hard drive, by using either Windows BitLocker or DM-crypt for Linux, and the encryption keys are also protected by keys in an Azure Key Vault. There are some requirements for ADE, which can be found here, including BitLocker GPO settings, but it is simple to implement by using PowerShell, and any VM’s not using Azure Disk Encryption are reported in Azure Security Center as a high risk.

The PowerShell for encrypting a VM using an Azure key is:

$rgName = 'MySecureRg';

$vmName = 'MySecureVM';

$KeyVaultName = 'MySecureVault';

$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;

$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;

$KeyVaultResourceId = $KeyVault.ResourceId;

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;

Or for using your own key is:

$rgName = 'MySecureRg';

$KeyVaultName = 'MySecureVault';

$keyEncryptionKeyName = 'MyKeyEncryptionKey';

$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;

$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;

$KeyVaultResourceId = $KeyVault.ResourceId;

$keyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;

So, let’s talk a little about the Azure Key Vault. Basically, the Key Vault is a secure location for keeping secrets, which can be certificates, encryption keys, connection strings, and anything else that needs to be securely stored. To access a secret, the access attempt must be authenticated first, and each secret has their own ACL.

For most companies, with no compliance requirements, the standard software Key Vault, which is not FIPS compliant, will provide adequate features, but for anyone with a compliance requirement, the premium HSM version with FIPS 140-2 level 2 validated will be the one to pick. Unfortunately, the dedicated FIPS 140-2 level 3 validated HSM is not compatible with ADE, and neither are non-Azure key vaults and HSM’s.

The encryption process for ADE starts with a Key Encryption Key (KEK), which is an asymmetrical key peer used to encrypt the Data Encryption Keys (DEK). The actual disk encryption is carried out by multiple DEK’s, which are symmetrical AES256 keys, and each one only encrypts part of the virtual disk. Access to both the DEK’s and KEK is required for encryption or decryption, and deleting the KEK renders the DEK’s permanently encrypted and the virtual disk unusable. This dual key system is for the simple reason that symmetrical encryption much faster than asymmetrical, and asymmetrical keys are more secure.

Your data is now encrypted by using Storage Service Encryption and Azure Disk Encryption, and removing the keys makes the drive unusable, so securely backing up the keys is a must. And just to assure the security team, according to the Microsoft SOC 2, Type 2 report, available in the Microsoft Trust Center, Microsoft cannot view or extract any secrets in the vault, so even if you needed their help, they are deliberately very limited in what they can do.

For more information on Azure Key Vaults, the Microsoft Docs documentation is very good, and I will be posting more shortly.