Azure Virtual Machine Disk Encryption With Azure Key-Vault

Let us begin this article with an understanding of Azure Key-Vault.

Azure Key-Vault 
  • Azure Key-Vault is a key management as a service which provides Hardware-based Key Management via Hardware Security Model (HSM) along with Software-based Key Management.
  • We can either generate keys or import existing keys to the Azure Key Vault.
  • It contains two options to manage sensitive information.
  • Secrets – Key Vault accept any value as a secret, and these are stored in binary. We can store sensitive information such as passwords or API keys.
  • Keys -- These Keys are either generated by the Key Value itself or imported. These keys are cryptographic and have public and private keys.
  • Azure Key-Vault is the multi-tenant service. You do not have a dedicated hardware security module.  
 Points to be noted, 
  • Your Virtual Machine and Key Vault must reside in the same region.
  • To use the Azure Key Vault, you are going to register an Azure Active Directory Application, because Azure Active Directory authentication is used to manage the keys in the vault.
Let us try to encrypt Azure VM disks and provide hardware security with the help of Azure Key-Vault.
Step 1

Go to Azure PortalàAzure Active DirectoryàApp RegistrationàNew Application Registration.

Step 2 - Create New Azure AD Application.

Give the name of the new application, select the application type and provide sign-on URL. It is not mandatory that a sign-on URL exists. You can give any URL with the correct pattern and click on Create.

Step 3 - Get your Application ID.

Once the application is created , click on the application name and copy Application Id, paste into notepad and click on Settings.

From the settings pane click on Keys.

Step 4 - Generate the Encryption Key.
 You can see within the Key section we do not have any key. We need to create it.

So give the Name, Duration and Save. It will generate the Key. Copy it before you close the blade. You won’ t get it again. So copy and paste it.

Step 5

Create your Azure Key-Vault and implement key management as a service.
Close all bladed.

Go to More Services and Search for Key Vault.

Step 6 - Provision Azure Key-Vault along with Policy.

Once you are inside Key-Vaults click on Add.

Now as shown in figure below, give some name to the key-vault. Also make sure your key-vault is in the same resource group where you have your VM.

Click on Access PolicyàClick on Add NewàSelect Principalàand select the Azure Active Directory application you have just created and click on Select.


Step 7

Encrypt your Key using WRAP. This operation will encrypt your symmetric key using a key encryption key that has previously been stored in the Azure Key Vault. It is a cryptographic operation.
Now under key permission select Wrap key and click OK.
Step 8

Under Secret permission click on Set.

Step 9 - Set your Access Policy.

Now under Access Policies blade click on Advanced Access Policy

Step 10 

Select Enable Access to Azure Disk Encryption for volume encryption.

If you do not check this, your VM will fail to start.

Finally Click on Create. 


Step 11 - Once your deployment has succeeded just refresh the screen and you can see your key-vault is created.

Step 12 - Encrypt your Azure VM disks.  
 To encrypt our vm disk we will use Azure Quick start template from the Github.


Go to the URL and click on Deploy to Azure.


Step 13

Now populate all the values shown in figure below and Agree to terms and conditions. Click on Purchase.

Step 14

Once you click on purchase, It will start encrypting your VM disk. It will take around 10 minutes and once deployment is succeeded, if you go to your VMàDisks , you can see OS disk is Encryption Enabled.


So finally, you can see your VM Disk is encrypted and which is based on Hardware Security Model followed by Azure Key Vault.