Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Azure Disk Encryption for Unattached Disk Volumes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-003

Ensure that your detached Microsoft Azure virtual machine (VM) disk volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The unattached disk volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the DM-Crypt feature of Linux and the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. When your cloud applications work with sensitive data such as PII (Personally Identifiable Information), it is strongly recommended to enable encryption to protect this data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. By encrypting disk volumes detached from your Microsoft Azure virtual machines, you have the assurance that your data is unrecoverable without an encryption key and thus provides protection from unwarranted reads. Even if the disk volumes are not attached to any of the VMs provisioned within your Azure cloud account, there is always a risk where a compromised user account with administrative privileges can mount/attach these unencrypted disks, and this action can lead to sensitive information disclosure and/or data leakage.


Audit

To determine if encryption at rest is enabled for your unattached VM disk volumes, perform the following actions:

Note 1: Azure Disk Encryption encrypts the disk volume itself. This is distinct from Server-Side Encryption (also referred to as encryption-at-rest or Azure Storage encryption), which encrypts the data stored on the disk.

Note 2: Getting the Azure Disk Encryption status for the detached Azure VM disk volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run disk list command (Windows/macOS/Linux) using custom query filters to list the ID of each unattached managed disk volume available in the current Azure subscription:

az disk list
	--query '[?diskState == `Unattached`].id'

02 The command output should return the requested disk volume identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_1"
]

03 Run disk show command (Windows/macOS/Linux) using the ID of the managed disk volume that you want to examine as identifier parameter to obtain the encryption configuration settings available for the selected unattached VM disk volume:

az disk show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0"
  --query '{encryptionSettingsCollection: encryptionSettingsCollection}'

04 The command output should return the configuration settings for the specified disk volume:

{
  "encryptionSettingsCollection": null
}

If the disk show command output returns null as value for the "encryptionSettingsCollection" attribute, as shown in the example above, the unattached Azure VM disk volume is not currently encrypted.

05 Repeat step no. 3 and 4 for each Azure disk volume detached from a virtual machine, provisioned in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable encryption for your unattached Microsoft Azure VM disk volumes, perform the following actions:

Note: Enabling encryption at rest for detached Azure VM disk volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.

Using Azure CLI

01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the generated disk encryption key will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support:

az keyvault create
	--name cc-encryption-vault
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--enable-soft-delete true
	--enable-purge-protection true
	--enabled-for-disk-encryption true

02 The command output should return the configuration metadata for the newly created Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-encryption-vault",
  "location": "westeurope",
  "name": "cc-encryption-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "abcdabcd-1234-1234-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "abcdabcd-1234-1234-1234-abcd1234abcd",
    "vaultUri": "https://cc-encryption-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run disk update command (Windows/macOS/Linux) using the ID of the detached Azure VM disk volume that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) and the ID of Azure Key Vault created at the previous steps as configuration parameter, to enable encryption at rest for the selected unattached disk volume:

az disk update
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0"
  --set encryptionSettingsCollection.diskEncryptionKey="/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-encryption-vault" EncryptionSettingsCollection.enabled=true

04 The command output should return the configuration metadata for the reconfigured Azure VM disk volume:

{
  {
    "creationData": {
      "createOption": "Empty",
      "imageReference": null,
      "sourceResourceId": null,
      "sourceUri": null,
      "storageAccountId": null
    },
    "diskIopsReadWrite": 120,
    "diskMbpsReadWrite": 25,
    "diskSizeGb": 32,
    "diskState": "Unattached",
    "encryptionSettingsCollection": [
      {
        "diskEncryptionKey": {
          "sourceVault": {
            "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-encryption-vault"
          }
        },
        "enabled": true,
        "keyEncryptionKey": null
      }
    ],
    "hyperVgeneration": null,
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0",
    "location": "westeurope",
    "managedBy": null,
    "name": "cc-warehouse-app_DataDisk_0",
    "osType": null,
    "provisioningState": "Succeeded",
    "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE",
    "sku": {
      "name": "StandardSSD_LRS",
      "tier": "Standard"
    },
    "tags": {},
    "timeCreated": "2019-09-10T11:31:24.276707+00:00",
    "type": "Microsoft.Compute/disks",
    "zones": [
      "1"
    ]
}

05 Repeat step no. 3 and 4 for each unencrypted Azure disk volume detached from a virtual machine, available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019