Azure Virtual Machine Disk Encryption using Encryption at Host option – MyKloud

Following is an excerpt from Encryption Chapter from book Exam AZ-500 Study & Lab Guide Part 3: Microsoft Certified Azure Security Engineer Associate. 

Refer to this blog post if you want to know more about different options available for encrypting Azure Virtual Machine Disk.

With Encryption at host, encryption happens at 2 places. One at Azure Server where your VM is located and second encryption is Virtual Machine OS and Data disk encryption at rest using Platform-managed Key or Customer-managed Key.

With Encryption at host, encryption starts on the Azure server where your VM is allocated. Encryption at host ensures that VM data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.

Temporary disks and ephemeral OS disks are always encrypted at rest with platform-managed keys when you enable Encryption at host.

The OS and data disk caches are encrypted at rest with either customer-managed or platform-managed keys, depending on the selected disk encryption type. 

Exercise 6: Create Disk Encryption Set

In this exercise we will create Disk Encryption Set with name DesCloud in Resource RGCloud. We will use Key Vault kvcloud510 and Key ekcloud2. We will choose Double Encryption option while creating Disk Encryption Set. Resource RGCloud was created in exercise 1 in chapter 3 in part 1 Book. Key Vault kvcloud510 and Symmetric Key ekcloud2 were created in Exercise 1 & 2 in Key Vault Chapter 8 in Part 2 Book.

We will use Disk Encryption Set in upcoming Exercise 9.

Note: To know more about Disk Encryption Set, refer to Disk Encryption Set topic in this Chapter.

1. Go to Azure Portal and in search Box type Disk Encryption Set and Press Enter> All Disk Encryption Sets pane opens> Click + Create> Create a disk encryption set blade opens as shown below> In Resource Group select RGCloud> Enter a name. I entered DESCloud> In Region select East US 2>In Encryption type dropdown box select Double Encryption> In key Vault select kvcloud510> In Key select ekcloud2> In Version select value with Current version> Click Review + create> After Validation is passed click Create (Not Shown).

2. Figure below shows the dashboard of Disk Encryption Set DESCloud> Note the link in top: To associate a disk, image or snapshot with this encryption set you must grant permissions to the key vault kvcloud510.

3. In above figure click the link To associate a disk, image or snapshot with this encryption set you must grant permissions to the key vault kvcloud510>Proceed to next step after you get Notification: Successfully granted permissions to the key vault kvcloud510.

4. Go to Key Vault kvcloud510 dashboard and click Access policies in left pane> In right pane you can see that Disk Encryption Set DESCloud is granted access to Key Vault with 3 Key Permissions (5^th Row).

Exercise 8: Enable Encryption at Host feature

Before we can use Encryption at Host feature with our VM, we must enable the feature for our subscription. We will use Azure Cloud PowerShell to enable this feature.

1. In Azure Portal Click Cloud Shell icon as shown below.

2. You will get following screen. Enter following PS Command:

Register-AzProviderFeature -FeatureName “EncryptionAtHost” -ProviderNamespace “Microsoft.Compute”

It will take few minutes to register the feature. Go to Next step after 10-15 Minutes.

3. To check whether Feature was Registered or not, use following PS Command:

Get-AzProviderFeature -FeatureName “EncryptionAtHost” -ProviderNamespace “Microsoft.Compute”

Note: Don’t go to next Exercise until Registration State shows Registered. If required enter above command multiple times to check Registration State.

Exercise 9: Create Azure VM with Encryption at host enabled

In this Exercise we will enable Encryption at Host while creating Virtual Machine. For OS Disk we will use customer-managed keys backed by Disk Encryption Set DESCloud. Disk Encryption Set DESCloud was created in Exercise 6.

Note: To know more about Disk Encryption Set, refer to Disk Encryption Set topic in this Chapter. Disk Encryption Set DESCloud was created Exercise 6.

You must use the below link to access the Azure portal. Encryption at host is currently not visible in the public Azure portal without using the below link: https://aka.ms/diskencryptionupdates

1. Open Google Chrome Browser tab and Log on to Azure Portal @: https://aka.ms/diskencryptionupdates with Subscription Administrator Credentials and Password.
2. In Azure Portal Click All Services> Compute> Virtual machines> All Virtual Machine pane opens> Click + Create and then + Virtual machine> Create a Virtual Machine Blade opens as shown below> Select Resource Group RGCloud> Enter a name. I entered vmfe4> In Region select East US 2> In Availability options select No> In Image select Windows Server 2019 Datacenter> For size select the default option> Enter Username. I entered AdminAccount> Enter Password> select Allow selected ports for Public inbound ports and select Ports 80, 443 and 3389> Click Next: Disks.

3. Disk pane opens>Select Standard SSD> In Encryption type dropdown box select Double encryption with Platform-Managed and Customer-Managed Keys> In Disk encryption set dropdown box Descloud created in exercise 6> Select Encryption at host option> Rest Select all default values> Click Next: Networking (Not Shown).

4. Networking pane opens as shown below> In Virtual Network Select VNETCloud> In Subnet Select Web-Subnet > Select system created default option for Public IP>Select Basic for NSG>In Public inbound ports select Allow Selected Ports and make sure HTTP (80), HTTPS (443) and RDP (3389) are selected > Rest Select all default values> Click Review + create> After Validation is passed click Create. Please note that we are selecting default values for Management, Advanced and Tag options.

5. Figure below shows dashboard of VM vmfe4.

6. In VM vmfe4 dashboard click Disks in left pane> In right pane note the Additional settings option.

7. In above figure click Additional Settings> Disk settings pane opens as shown below. You can see from below figure that Encryption at host is enabled> Close the Disk Setting pane by clicking cancel in bottom pane.

To know more about Azure VM Disk Encryption options in detail and Lab Exercises on ADE, Double Encryption at Rest using Customer-managed Key and Platform-managed Key and Encryption at Host, refer to  book Exam AZ-500 Study & Lab Guide Part 3: Microsoft Certified Azure Security Engineer Associate.

The Book is now available on Amazon. 

Most Popular Blog Post

Virtual Networks

Blog Posts on Exam Guide’s and Exam Experience

Blog Post on Exam AZ-104 Study & Lab Guide
Blog Post on Exam AZ-500 Study & Lab Guide
Blog Post on Exam AZ-300 & AZ-301 Study & Lab Guide
Blog Post on 70-535 Exam Experience
Blog Post on MCSA Cloud Infrastructure Lab Guide 70-534 Exam

Blog Posts on Design Case Studies

Design Case Study on Azure Firewall Manager
Mini Design Example – Layer 4 Load Balancer or Layer 7 Load Balancer
Mini Design Scenario Excerpt: Identity Management
Business Continuity Solution for Web/App tier and Database Tier
Design Case Study – Secure Remote Access to on-premises Application
Azure AD B2B Collaboration User licensing Case Study

Blog Posts on Governance, Compliance & Security

Implementing IT Governance in Azure Cloud
Data Compliance in Cloud with Immutable Blob Storage
Azure VM Disk Encryption using Encryption at Host option
Design Case Study on Azure Firewall Manager
Multi-Factor Authentication using MS Authenticator App for IOS
Deploy Secure HDInsight Cluster

Introductory Blog Posts on Cloud Computing

Introduction to Cloud Computing
Introduction to Containers
Introduction to Virtual Private Network (VPN)

Blog Posts on Azure Virtual Machine HA, DR, Scalability and Costing

Azure Availability Zones (AZ)
Availability Set (AS)
Virtual Machine Scale Set (VMSS)
How to Save on Virtual Machine Compute Cost

Blog Post on Azure Virtual Networks

Virtual Networks
Azure Virtual Network Peering

Other Popular Blog Posts

Identity options with Azure Active Directory (Azure AD)
Azure Service Bus Relay
Containers
Hands on Lab – Video on Demand (VOD) Streaming using Azure Media Services (AMS)
Azure AD Application Proxy
Azure Active Directory Privileged Identity Management
Azure IoT Edge

Blog Posts and links on Azure AZ Series Certifications and Exams

Amazon Link for Exam AZ-104 Study & Lab Guide
Amazon Link for Azure Study & Lab Guide for Beginners
Amazon Link for Exam AZ-500 Study & Lab Guide Part 1
Amazon Link for Exam AZ-500 Study & Lab Guide Part 2
Amazon Link for Exam AZ-500 Study & Lab Guide Part 3
Amazon Link for Exam AZ-300 & AZ-301 Study & Lab Guide Part 2
Amazon Link for Exam AZ-300 & AZ-301 Study & Lab Guide Part 1
Amazon link for Exam AZ-103 Study & Lab Guide
Sample Chapter from AZ-300 & AZ-301 Study and Lab Guide Part 2
Sample Chapter from AZ-300 & AZ-301 Study and Lab Guide Part 1
TOC and Sample Chapter from AZ-103 Study and Lab Guide
NEW AZURE CERTIFICATIONS & BOOKS