Azure Introduction
Azure Pricing
Azure Threats
Use Customer Managed Keys for Virtual Hard Disk Encryption
More Info:
Ensure that your Microsoft Azure Virtual Hard Disk (VHD) volumes are using Customer Managed Keys (CMKs) instead of Platform-Managed Keys (PMKs – default keys used by Microsoft Azure for disk encryption) in order to have full control over your VHD data encryption and decryption process. Virtual Hard Disks are the old style disks that were attached to Azure virtual machines (VMs). VHDs are stored in blob storage accounts.
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Use Customer Managed Keys for Virtual Hard Disk Encryption” for Azure using the Azure console, follow the below steps:
-
Open the Azure portal and log in to your account.
-
Navigate to the virtual machine that you want to remediate.
-
Select the virtual machine and click on the “Disks” option in the left-hand side menu.
-
Select the disk that you want to encrypt with customer-managed keys.
-
Click on the “Disk Encryption” option in the top menu.
-
In the Disk Encryption pane, select “Customer Managed Keys” as the encryption type.
-
Click on the “Select a Key” option and choose the key that you want to use for encryption.
-
Click on the “Save” button to save the changes.
-
Wait for the encryption process to complete.
Once the encryption process is complete, the virtual machine disk will be encrypted with the customer-managed key.
To remediate the misconfiguration “Use Customer Managed Keys for Virtual Hard Disk Encryption” for Azure using Azure CLI, follow the below steps:
-
Open Azure CLI and log in to your Azure account.
-
Create a new customer-managed key in Azure Key Vault using the below command:
az keyvault key create --vault-name <key-vault-name> --name <key-name> --protection softwareReplace
<key-vault-name>with the name of your Azure Key Vault and<key-name>with a name for your new key. -
Retrieve the key ID of the newly created key using the below command:
az keyvault key show --vault-name <key-vault-name> --name <key-name> --query key.kid -o tsvThis command will return the key ID in the format:
/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>/keys/<key-name>/<key-version> -
Update the virtual hard disk (VHD) to use the customer-managed key for encryption using the below command:
az disk encryption set --resource-group <resource-group-name> --name <disk-name> --key-url <key-id> --key-vault <key-vault-name> --encryption-type <encryption-type>Replace
<resource-group-name>with the name of the resource group containing the VHD,<disk-name>with the name of the VHD to be encrypted,<key-id>with the key ID retrieved in step 3,<key-vault-name>with the name of the Azure Key Vault, and<encryption-type>with the type of encryption to use (e.g. “AES256”). -
Verify that the disk encryption is enabled by running the below command:
az disk encryption show --resource-group <resource-group-name> --name <disk-name>This command will return the encryption status of the disk.
By following the above steps, you can remediate the misconfiguration “Use Customer Managed Keys for Virtual Hard Disk Encryption” for Azure using Azure CLI.
To remediate the misconfiguration “Use Customer Managed Keys for Virtual Hard Disk Encryption” for AZURE using Python, you can follow the below steps:
Step 1: Import the required libraries and authenticate to Azure
from azure.identity import DefaultAzureCredential
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.resource import ResourceManagementClient
credential = DefaultAzureCredential()
compute_client = ComputeManagementClient(
credential=credential,
subscription_id='<subscription-id>'
)
resource_client = ResourceManagementClient(
credential=credential,
subscription_id='<subscription-id>'
)
Step 2: Get the list of virtual machines in the subscription
vm_list = compute_client.virtual_machines.list_all()
Step 3: For each virtual machine, check if the virtual hard disk is encrypted with a customer managed key. If not, update the encryption settings to use a customer managed key.
for vm in vm_list:
for disk in vm.storage_profile.data_disks:
if not disk.disk_encryption_settings or not disk.disk_encryption_settings.enabled:
# Update the encryption settings to use customer managed key
disk.disk_encryption_settings = {
'enabled': True,
'disk_encryption_key': {
'source': 'Microsoft.Keyvault',
'vault_uri': '<key-vault-uri>',
'secret_url': '<key-secret-url>'
}
}
compute_client.virtual_machines.create_or_update(
resource_group_name=vm.id.split('/')[4],
vm_name=vm.name,
parameters=vm
)
Note: Replace the <subscription-id>, <key-vault-uri> and <key-secret-url> placeholders with the actual values.
By following the above steps, you can remediate the misconfiguration “Use Customer Managed Keys for Virtual Hard Disk Encryption” for AZURE using Python.