Use BYOK for Disk Volumes Encryption

More Info:

Ensure that your Azure virtual machine disk volumes are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for disk encryption), in order to have a more granular control over your VM data encryption/decryption process.

Risk Level

High

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of not using Bring Your Own Key (BYOK) for Disk Volumes Encryption on Azure using Azure CLI, follow the below steps:

Create a new Key Vault in Azure or use an existing one.
Create a new Key in the Key Vault or use an existing one.
Grant the Disk Encryption Set (DES) access to the Key Vault and Key.
Enable disk encryption using the Key Vault and Key.

The following are the detailed steps to remediate the misconfiguration:Step 1: Create a new Key Vault in Azure or use an existing oneUse the below command to create a new Key Vault in Azure:

az keyvault create --name "key-vault-name" --resource-group "resource-group-name" --location "location"

Replace “key-vault-name” with the name of the Key Vault, “resource-group-name” with the name of the resource group, and “location” with the location of the Key Vault.Step 2: Create a new Key in the Key Vault or use an existing oneUse the below command to create a new Key in the Key Vault:

az keyvault key create --vault-name "key-vault-name" --name "key-name" --protection software --size 2048

Replace “key-vault-name” with the name of the Key Vault and “key-name” with the name of the Key.Step 3: Grant the Disk Encryption Set (DES) access to the Key Vault and KeyUse the below command to grant the Disk Encryption Set (DES) access to the Key Vault:

az keyvault set-policy --name "key-vault-name" --object-id "object-id" --key-permissions "wrapkey" --secret-permissions "set"

Replace “key-vault-name” with the name of the Key Vault and “object-id” with the object ID of the Disk Encryption Set (DES).Use the below command to grant the Disk Encryption Set (DES) access to the Key:

az keyvault set-policy --name "key-vault-name" --object-id "object-id" --key-permissions "get" --secret-permissions "get"

Replace “key-vault-name” with the name of the Key Vault and “object-id” with the object ID of the Disk Encryption Set (DES).Step 4: Enable disk encryption using the Key Vault and KeyUse the below command to enable disk encryption using the Key Vault and Key:

az disk encryption set update --resource-group "resource-group-name" --name "disk-encryption-set-name" --key-url "key-url" --key-vault-id "key-vault-id"

Replace “resource-group-name” with the name of the resource group, “disk-encryption-set-name” with the name of the Disk Encryption Set (DES), “key-url” with the URL of the Key, and “key-vault-id” with the ID of the Key Vault.After following these steps, the misconfiguration of not using BYOK for Disk Volumes Encryption on Azure using Azure CLI will be remediated.

Using Python

To remediate the misconfiguration of not using BYOK for Disk Volumes Encryption in AZURE using Python, follow the steps below:

First, you need to create a new key vault in Azure. To create a key vault, you can use the azure-mgmt-keyvault Python package. Install the package using the following command:

pip install azure-mgmt-keyvault

Then, use the following code snippet to create a new key vault:

from azure.identity import DefaultAzureCredential
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters, Sku, AccessPolicyEntry, Permissions, SecretPermissions

# Set the subscription ID and resource group name
subscription_id = '<your-subscription-id>'
resource_group_name = '<your-resource-group-name>'

# Set the key vault name and region
vault_name = '<your-key-vault-name>'
region = '<your-region>'

# Create the key vault management client
credential = DefaultAzureCredential()
keyvault_client = KeyVaultManagementClient(credential, subscription_id)

# Set the SKU and access policies for the key vault
sku = Sku(name='standard', family='A')
access_policy = AccessPolicyEntry(
    tenant_id='<your-tenant-id>',
    object_id='<your-object-id>',
    permissions=Permissions(
        secrets=[SecretPermissions.get, SecretPermissions.list, SecretPermissions.set]
    )
)

# Create the key vault parameters
parameters = VaultCreateOrUpdateParameters(
    location=region,
    properties={
        'sku': sku,
        'access_policies': [access_policy]
    }
)

# Create the key vault
keyvault_client.vaults.create_or_update(resource_group_name, vault_name, parameters)

Next, you need to create a new key in the key vault. To create a new key, you can use the azure-keyvault-keys Python package. Install the package using the following command:

pip install azure-keyvault-keys

Then, use the following code snippet to create a new key:

from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm

# Set the key vault URL and key name
key_vault_url = f'https://{vault_name}.vault.azure.net/'
key_name = '<your-key-name>'

# Create the key client and cryptography client
credential = DefaultAzureCredential()
key_client = KeyClient(key_vault_url, credential)
crypto_client = CryptographyClient(key_client.get_key(key_name).id, credential)

# Generate a new RSA key pair
key_size = 2048
key_ops = ['encrypt', 'decrypt']
key = key_client.create_rsa_key(name=key_name, size=key_size, key_operations=key_ops)

# Encrypt a test message using the new key
message = b'This is a test message.'
encrypted_message = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, message)

Finally, you need to enable BYOK for disk volume encryption in Azure. To do this, you can use the azure-mgmt-compute Python package. Install the package using the following command:

pip install azure-mgmt-compute

Then, use the following code snippet to enable BYOK for disk volume encryption:

from azure.identity import DefaultAzureCredential
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.compute.models import DiskEncryptionSetParameters, EncryptionSetIdentity

# Set the subscription ID and resource group name
subscription_id = '<your-subscription-id>'
resource_group_name = '<your-resource-group-name>'

# Set the disk encryption set name and key vault URL
disk_encryption_set_name = '<your-disk-encryption-set-name>'
key_vault_url = f'https://{vault_name}.vault.azure.net/'

# Create the compute management client
credential = DefaultAzureCredential()
compute_client = ComputeManagementClient(credential, subscription_id)

# Create the disk encryption set parameters
identity = EncryptionSetIdentity(type='UserAssigned', user_assigned_identities={
    f'/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{key_name}': {}
})
parameters = DiskEncryptionSetParameters(
    identity=identity,
    key_vault_uri=key_vault_url
)

# Create the disk encryption set
compute_client.disk_encryption_sets.create_or_update(resource_group_name, disk_encryption_set_name, parameters)

Note that you need to replace the placeholders <your-subscription-id>, <your-resource-group-name>, <your-key-vault-name>, <your-region>, <your-tenant-id>, <your-object-id>, <your-key-name>, <your-disk-encryption-set-name> with your own values.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Use BYOK for Disk Volumes Encryption

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation