FAQ: Achieving compliance with newly released Azure disk encryption for Windows and Linuxby John Grange
Early this year, we wrote about encryption-at-rest as part of our security series. Traditionally, encryption-at-rest, or disk encryption as we’ll refer to it going forward, has been costly and more difficult to implement in a public cloud environment. As cloud offerings have matured they’ve become much more appealing to the enterprise: security is improved, competition has driven costs down, and new features allow for unprecedented speed and efficiency when compared to the traditional data center. Azure is at the forefront of enterprise cloud functionality, API’s, and integration with core enterprise applications like Active Directory, but until very recently, there wasn’t a native way to implement disk encryption.
Up until now you could use Microsoft’s Bitlocker inside your Windows VM, or for Linux you could use any number of filesystem or disk encryption options, but none of these are integrated in any way into the broader Azure environment. This means management and security of your keys/secrets is an issue and it drastically complicates deployments. Even if you’re using configuration management platforms like Ansible, Chef, or DSC , you now have to add a new complicated layer to each deployment.
Now, as part of Azure’s preview portal – Azure’s platform for the future built on Azure Resource Manager (ARM) – you can deploy native disk encryption for existing VM disks as well as disks for new VM builds. This new functionality adds much-need flexibility for those organizations that require disk encryption to meet data security and compliance commitments.
In an effort to provide more definition around this new functionality while remarking on common questions we’ve been asked in the field, I will use an FAQ format to address the details of Azure disk encryption for Windows and Linux.
Isn’t Azure disk encryption for Windows just Bitlocker?
For Windows, Azure disk encryption is based on Bitlocker technology, but it’s been built into Azure as a native feature that is configured outside of the VM via ARM. Key management is integrated into Azure Key Vault providing an end-to-end disk encryption solution for your Windows IaaS VM’s. Disk encryption for Linux VM disks works the exact same way but the underlying technology is dm-crypt and not Bitlocker.
Can I implement Azure Disk encryption from the service management portal?
No, Azure disk encryption is only available in Azure preview which is based on ARM. Currently, disk encryption can be implemented via Azure CLI or ARM json templates. New VM’s can be created from the Azure gallery with encrypted disks or you can encrypt existing disks but both tasks need to be done via templates of CLI.
How do I manage my keys?
Azure Key Vault is used to manage keys and policies leaving no application with access to keys and a central place to audit.
How do I audit the keys and policies?
Yes, you can add key vault logs to your log pipeline for auditing.
Can I encrypt the disks on existing VM’s or just newly created one’s?
You can encrypt disk on newly created VM’s as well as existing VM’s. To create a VM with encrypted disks it needs to be created from the Azure Gallery. To encrypt disks on a VM built from a custom image, you would need to provision that VM with your custom image and then go through the process of encrypting the disks of an existing VM.
Does disk encryption work the same on Linux as it does with Windows?
Yes, the Azure disk encryption process is the same whether you’re using a Linux or Windows OS. You use the same CLI or ARM template configuration to implement disk encryption on Linux as you do on Windows while keys are also managed in the same way. The only difference is the underlying technology used for encryption but that technology has been abstracted out of the process.
What are the current limitations?
Currently, there are some limitations to the this initial implementation of Azure disk encryption. The main limitations today are that all of your disks and keys must be in located the same region, there is currently no integration with on-premise key management systems, and you cannot disable encryption once it has been setup.