Microsoft Azure AZ-801 — Section 7: Secure Windows Server storage Part 2
46. Enable storage encryption by using Azure Disk Encryption
Now I want to take a look here in Azure, at how Azure is going to encrypt virtual disks.
So, if you’re using a virtual machines and, maybe, you’re hosting a server in Azure, I want you to know that Azure is going to encrypt your disk automatically. There’s a couple of considerations I want to look at. Here we are on portal.azure.com and I’m going to create a virtual machine real quick.
Now, the point of this video is not is not to get into intricacies of creating virtual machine. So, I’m not going to be explaining every little fine detail about virtual machines. What we’re focused on in this video is the data encryption side of things.
So, we’re going to go here on portal.com, we’re going to click the menu button, we’re going to go down to virtual machines and we’re going to click to create a virtual machine. From there, create a resource group. I’m just going to call this VMDemo, click Okay, give it a name. I’m going to call this winserver1. It’s going to be the name of my VM. I’m going to do East US. I am going to do redundancy on the VM right now, and I’m going to choose to go with let’s go with a Windows 2022 server, take the default size, I’m going to my admin account is going to be called LP admin and my password. It’s going to look like this. I’m going to use port 3389. That’s fine. I’m going to click Next. Okay, now this screen here’s a little bit a little bit misleading. It says VM disk encryption. Azure disk storage encryption automatically encrypts your data stored on Azure managed disk (OS and data) at rest by default when persisting it to the cloud. All right.
Then, they got this thing called Encrypting at host. And that’s grayed out all right. And that is because to do the host, you have to register to do that. And this is misleading because it makes you think, oh well, my disk isn’t going to be encrypted. Absolutely not. That’s not the case. Your disk will be encrypted. They’re talking about what’s called host level encryption. So, that means at the physical data center level, you can also have the host physical data center level encrypted as well. With an encryption key you manage. Keep in mind, all of it is going to be encrypted, but it’s managed by Microsoft. You can click Learn more and there are some PowerShell commands that will let you register this capability in this feature. But that’s not what I’m here to explain. You’ll see in a moment. So, I’m going to go here. I was going to switch myself to a standard HDD because it’s cheaper. Now, right here, we have platform managed key. All right. So, we are going to be encrypting our virtual disk. The physical host itself is managed by the data center. I’m not dealing with that. That’s what this checkbox is talking about. But we are going to encrypt our virtual disk. Now, Platform manage key means Microsoft will be managing the encryption key themselves.
Of course, immediately what you start thinking there is, “Well, what’s going to stop somebody at Microsoft from just getting access to my data?” Well, actually, Microsoft has a committee and whenever somebody at the facility, if they needed to get access to the data, they can’t do that by unless we authorize it and that committee authorizes it. There’s a lot of interesting information out on the Internet that Microsoft has published about how they manage customer data, and there’s a lot of restrictions to it. So, it’s a lot more secure than you think. However, you can also do what’s called a customer manage key, which means you can set up a key vault yourself. And this thing called an Azure vault. It will let you manage the key yourself. All right. And so that’s what that would involve. But you’ll start out we’re going to start out with platinum platform manage key and we can switch over to Custom Manage Key later if we want. All right.
From there, I’m just going to go ahead now and click. I’m just going to go to management and I am going to just make sure that this thing auto shuts down at 7 p.m. on my clicker view and create. All right. And waiting on it to finish. I’m going to go ahead and click to create. All right. And I’m going to pause the recording while my virtual machine is getting created. All right. Once that’s done, I can just click go to Resource, and that’s going to take me straight to the virtual machine. All right. From there, I can click on the disk blade and I can see the virtual disk that was created for this virtual machine. And you can see right here, if I click on that, that virtual disk, I can go to encryption and I can see that it is currently being managed as a platform managed key. And you’ll also notice I can’t change that, right? The reason I can’t change it is because the virtual machine is currently up and running.
So, if I go over to my server, I’m just going to stop the server, I’m going to tell it to shut down and we’ll give that. I’ll pause my recording while that’s happening. All right.
When that is done, I can now go over to the disk blade. I can click on win Server1 disk and go to encryption and I’ll now have my dropdown and I could choose customer manage key, but I don’t have a key vault right now, so it’s not going to let me choose that. Now, what I’ll also what I really want to show you though. Let’s go back to the disk area. Here is I can go and I can say create and attach a new disk if I want. So, it’s going to assign it a LUN, which is a logic unit number, which is just a storage area, network based system. Give it a name. I’m just going to call this data and then specify what kind of disk it’s going to be. I’ll just do standard HDD, specify the size. All right. It’s going to be and then here would be its platform managed platform manage key. Right now that’s the only option I’ve got, right? Because that is because I haven’t got a key vault, but it is going to encrypt. And that’s the thing I can’t stress enough. It is still going to encrypt. You are still going to allow this to be encrypted. And then there’s a feature called host caching, which I’m not getting into in this video, but at that point I can now say, okay, let’s attach. If I want to go ahead and utilize that, I can have that disk ready to go and allow that disk to be attached. But let’s save it first. This is going to create the disk. All right. And so the disk has been successfully created. Well, it’s actually now it’s there we go now it’s been successfully created, right? And so I got that all together. Don’t actually mean click that right there. All right. So, we got our operating system. It can we got our data disk. Now we’re going to go back over here and we’re going to start our virtual machine up. And I’ll pause the recording while that’s happening. All right.
So, now that it started up, I’m just going to go to this Connect blade here. And then you can download the RDP file. You can run that RDP file and you can connect into it. So, here I am, connected into the virtual machine. All right. And if I go over here to I’m in Server Manager, if I go to file and storage services. Disks. All right. Got to give it just a moment to load everything up here, but looks like it is. Load it up and you can see. That I have my disk available now. And I can also right click Start, go to disk management. And I can view it all that way as well. You’ll see that it detected this, too. It wants me to go ahead and use good partition table. To initialize the disk. And then if I want to go ahead and create a volume on it, I can. And keep in mind you can do it through that or you can do it through the newer interface as well. It doesn’t really matter. Say new volume. Let me just select the right disk here. Okay. It’s just taking a little while for it to all show up. Yeah, I have a C drive and I have a D drive. The D drive is just a temporary disk though, so that’s not. That’s not actually. This is the disk itself.
So, I’m just going to right click and say new volume and I’ll just create a new volume on that disk. Okay, it’s going to initialize. It will just take up the full 32 gigs on it. It’ll be the drive letter E in TFS, which does support encryption, by the way. Failed to initialize this argument. Oh, I must have already done it. That’s right. I think I already did do it, didn’t I? So, it’s already been initialized. So, we’ll go through the wizard here. Don’t have to initialize at this time. Can’t new volume create and it’s now being created. Well, when this finishes now it’s been created and we should be able to even take a look at that if we want.
So, we’ll go to File Explorer. And that new drive should be available to us to store data. Okay. And of course, everything is being encrypted in Azure. But what I would also want to show you is the fact that we can go to manage, add roles and features and go to features here and look at we’ll look at what we got right there. We already have BitLocker drive encryption available to us on the server. So, if I go down here to the search bar. And. Go to control panel. Switch this over to large icons. I’ve got BitLocker drive encryption. And you’ll notice that I could turn that on for this drive if I wanted to.
My point in saying all that is that we have a Microsoft manage level of encryption that’s happening in the Azure Network. We have BitLocker as well. And if you actually register for that host level encryption, you’d have three layers of encryption.
So, those are some of the different ways that we can manage the encryption just inside of a virtual machine located in Azure, basically encrypting the virtual disk themselves.
47. Manage disk encryption keys for IaaS virtual machines
I want to look now at how we can create something called an Azure Key Vault for managing encryption keys that can be used for encrypting our data disk.
Now, data and operating system virtual disk, I should say. So, here I am on portal.azure.com. I’m going to click the menu button here and I’m going to go to all services. We’re just going to do a search for the word vault and you’ll see you have an option here called Key Vault, and we’ll go ahead and click to create a key vault. All right. And I’m just going to store this in my VMDemo resource group, but I could create a new resource group. I’m going to call this LP Key Vault demo. Let’s see if that name is taken. It’s not. So, we’re good. So, East US, pricing is standard. Now, you can do premium. The difference between standard and premium mostly is that. With a premium, you get to utilize Microsoft’s HSM equipment. And that is basically an appliance in their data center. If you’re not familiar with it, I’ll show you what they look like. And they’re basically like storage area, network based equipment that can be used to physically protect your encryption keys. And keep in mind, Microsoft has a lot of protection in place, but the vault itself is going to just be sitting on normal equipment racks. But if you use a premium, then it’s going to be sitting inside of an HSMs piece of equipment. So, it has extra protection. It takes multiple people to even tamper with this thing, mess with it. They have to have keys and physical keys and all that. So, it just adds an extra layer of protection. You can view the pricing calculator, the Azure pricing calculator, if you want to look at the price of that.
You’ve also got recovery options. It says soft elite protection will automatically be enabled on this key vault. This feature allows you to recover or permanently delete your key vault in a secret for the duration of the retention period. So, as this protection applies to the key vault and the secret store within the key vault, you can also do mandatory retention.
If the thing is deleted, you can basically delete it for up to 90 days. And we’re also going to do purge protection. It enforces a mandatory retention period for deleted vaults. So, that’s fine. We’ll click Next and then it says, all right, so you’re going to use permission. It’s going to use vault access policy. What that is, is that’s going to let the vault control who gets access. And by default, that is just me. That is that’s basically getting access. Right. But then I can also do if I wanted to do our back based method for giving access than I could choose to do a back if I wanted to. So, I’m just going to leave it as default. And we’re going to allow this for virtual machine deployment as well as disk encryption. The three main things and I’m going to click Review and create. I’ll have anything else I really need to set there. And we’ll click to create. All right.
At that point, it just takes a moment for our key vault to get created. And then once the key vault is created, I can jump right in and start creating my key. All right, now what I’m going to do is I’m going to click go to the resource, and you’ll see right here I have a blade called keys. And I’m going to click to generate a key. This is going to generate a new key. You could import one if you had an existing one from something, and then you could also restore one for backup. But we’re going to give it a name. And I call this LP key demo. All right. For example, elpkeydemo. Then, RSA is Rivest-Shamir-Adleman algorithm. That’s the most common algorithm that most everybody uses on the planet these days. And then EC is the elliptic curve, which is based on Diffie-Hellman algorithm. But 2048-bit is also the common bit length right now in today’s world for encrypting public private key encryption as well as symmetric based keys. Then you’ve got set activation date or expiration date. You can set that if you want. If you want the key to become active at a certain time or be or expired a certain time, you can also say that the key is going to go ahead and be enabled. Or if you wanted to disable that temporarily, you could do that. You could choose note, you could apply tags, and then if you wanted to rotate the key, the slash, you have multiple keys and you can basically have a rotation where you use a different key for different reasons. I can rotate it out, use a different key at some point. So, this was being used for encrypting some kind of service. I could periodically have a different key used instead for encrypting it, but I’m going to click Create. And as you can see, my new key has officially been created.
Another thing you can do is you can go here to this access control (IAM) and give authority for managing the key. You can click Add, Add role assignment. And then you can choose owner. If you want to make somebody a key vault administrator or something like that, you could choose that and choose who the member is going to be, whoever you want it to be which in my case I’ll just put myself just to kind of demo that. But select and then review and assign. And we’ve now set that up.
Now, I want to go up and create something called an encryption set, which is what’s going to allow you to associate this with a disk. So, if I go up to the menu button here and go to all services, we can search for encryption disk encryption set. Here it is right here. All right. And then I can create a disk encryption set if I want. I’ll just store this in this VMDemo here. I’m going to call this elpencryptionset. All right. Yes. So, encryption at rest with a custom manage key says you also have double encryption platform. That’s a dual layer encryption and then confidential disk with a customer manage key. This is a preview based system at the creation of this video. But so you can choose, obviously, which of those that you’d want to go with, right? You probably too, would want to consider, I would say consider checking out. I would I would say consider checking out the pricing of all that, too. You can do that on the Azure calculator.
So, at that point, I’m just going to go with this first one here and I’m going to click, review and create. Oh, missed something. Oh, I didn’t select the key. Yeah, it’s kind of the key vault. You got to select the key vault, which is this elpkeyvaultdemo. And then the key. There we go.
Now, select our key. We’ll click Review and create, should validate, and we’ll click to Create. So, we’re going to go ahead and let that get created. All right. Once it’s done, I’ll go to the resource here and it says to associate a disk image or snapshot with the disk encryption set, you must grant permission to the key vault. So, we’ll go ahead and click on that. And we have successfully granted it permission.
Now, that I’ve done that, I should be able to click the menu button here. I’m going to go to my virtual machines. All right. And then I’m going to click on my virtual machine that I created. And the other thing is I’ve stopped my virtual machine. And if you’re doing this, you would need to make sure that your virtual machine is stopped. And I would wait about 5 minutes after it’s been stopped just to be safe. But once that’s occurred, I should be able to go over the disk and I can click on my disk here, operating system disk and click on encryption. And I should now be able to choose my customer manage key. So, there it is. I’m going to click Save and it’s now updating the disk with that new key. And I could do the exact same thing with my other disk. At that point, I’ve now officially encrypted my disk with my customer manage key and now hopefully that gives you a good understanding of how we can go about encrypting these virtual disk, using this customer managed keys ourselves as opposed to just using the built in Microsoft encryption that they have.