Use Customer Managed Keys for Virtual Hard Disk Encryption
More Info:
Ensure that your Microsoft Azure Virtual Hard Disk (VHD) volumes are using Customer Managed Keys (CMKs) instead of Platform-Managed Keys (PMKs – default keys used by Microsoft Azure for disk encryption) in order to have full control over your VHD data encryption and decryption process. Virtual Hard Disks are the old style disks that were attached to Azure virtual machines (VMs). VHDs are stored in blob storage accounts.Risk Level
MediumAddress
SecurityCompliance Standards
HITRUST, SOC2, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Use Customer Managed Keys for Virtual Hard Disk Encryption” for Azure using the Azure console, follow the below steps:
- Open the Azure portal and log in to your account.
- Navigate to the virtual machine that you want to remediate.
- Select the virtual machine and click on the “Disks” option in the left-hand side menu.
- Select the disk that you want to encrypt with customer-managed keys.
- Click on the “Disk Encryption” option in the top menu.
- In the Disk Encryption pane, select “Customer Managed Keys” as the encryption type.
- Click on the “Select a Key” option and choose the key that you want to use for encryption.
- Click on the “Save” button to save the changes.
- Wait for the encryption process to complete.
Using CLI
Using CLI
To remediate the misconfiguration “Use Customer Managed Keys for Virtual Hard Disk Encryption” for Azure using Azure CLI, follow the below steps:
- Open Azure CLI and log in to your Azure account.
-
Create a new customer-managed key in Azure Key Vault using the below command:
az keyvault key create --vault-name <key-vault-name> --name <key-name> --protection softwareReplace<key-vault-name>with the name of your Azure Key Vault and<key-name>with a name for your new key. -
Retrieve the key ID of the newly created key using the below command:
az keyvault key show --vault-name <key-vault-name> --name <key-name> --query key.kid -o tsvThis command will return the key ID in the format:/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>/keys/<key-name>/<key-version> -
Update the virtual hard disk (VHD) to use the customer-managed key for encryption using the below command:
az disk encryption set --resource-group <resource-group-name> --name <disk-name> --key-url <key-id> --key-vault <key-vault-name> --encryption-type <encryption-type>Replace<resource-group-name>with the name of the resource group containing the VHD,<disk-name>with the name of the VHD to be encrypted,<key-id>with the key ID retrieved in step 3,<key-vault-name>with the name of the Azure Key Vault, and<encryption-type>with the type of encryption to use (e.g. “AES256”). -
Verify that the disk encryption is enabled by running the below command:
az disk encryption show --resource-group <resource-group-name> --name <disk-name>This command will return the encryption status of the disk.
Using Python
Using Python
To remediate the misconfiguration “Use Customer Managed Keys for Virtual Hard Disk Encryption” for AZURE using Python, you can follow the below steps:Step 1: Import the required libraries and authenticate to AzureStep 2: Get the list of virtual machines in the subscriptionStep 3: For each virtual machine, check if the virtual hard disk is encrypted with a customer managed key. If not, update the encryption settings to use a customer managed key.Note: Replace the
<subscription-id>, <key-vault-uri> and <key-secret-url> placeholders with the actual values.By following the above steps, you can remediate the misconfiguration “Use Customer Managed Keys for Virtual Hard Disk Encryption” for AZURE using Python.