Azure Disk Encryption for IAAS Windows VM with Azure AD- Part 1

Introduction

A question that we often face from the customers is how to enable Disk encryption for the Azure VM, which not only secures your data but is also necessary as a compliance requirement. In this blog we would answer how do we enable Disk encryption on an Azure IAAS VM.

Encrypting the data is very important in any organizations as it helps in securing the sensitive data, which you do not want others to access and later misuse the same. Azure provides encryption service to the disks that would convert the data into unreadable form. The user with the key possessing access can change back the information to its original readable form. Azure Disk Encryption technology helps to protect and safeguard your data, to meet your organizational security and compliance commitments.

Pre-Requisites

Supported scenarios and requirements for disk encryption

Azure Disk Encryption is supported on the following scenarios:

• Enabling encryption on new Windows VMs from Azure Marketplace images or custom VHD images.
• Enabling encryption on existing Windows VMs in Azure.
• Enabling encryption on Windows VMs that are configured by using Storage Spaces.
• Disabling encryption on OS and data drives for Windows VMs.
• Standard tier VMs, such as A, D, DS, G, and GS series VMs.

Supported operating systems

Azure Disk Encryption is supported on the following operating systems:

• Windows Server versions: Windows Server 2008 R2  and above
• Windows client versions: Windows 8 client, Windows 10 client
• Azure Disk Encryption is only supported on specific Azure Gallery based Linux server distributions and versions.
• Azure Disk Encryption requires that your key vault and VMs reside in the same Azure region and subscription.
• Configuring the resources in separate regions causes a failure in enabling the Azure Disk Encryption feature.

Required permissions

• If you have the User role, you must make sure that non-administrators can register applications.
• If the app registrations setting is set to No, only users with an administrator role may register these types of applications.

The process for encrypting a VM is as follows:

1. Create New Application in Azure Active Directory.
   Azure Disk Encryption is integrated with Azure Key Vault and it uses an Azure AD application to provide authentication in order to manage encryption keys in the key vault.
2. Create a cryptographic key for Azure Disk Encryption.
   Azure Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription.
3. Enable encryption on existing or running IaaS Windows VMs.
   BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key.

Benefits

• Azure Disk Encryption helps to comply with GDPR, CIS Benchmark, NIST etc.
• Encrypting these files is important, as they can reveal important confidential data. Nearly everything including the swap space and the temporary files is encrypted.
• Nearly everything including the swap space and the temporary files is encrypted.
• IaaS VMs boot under customer-controlled keys and policies.
  You can audit their usage in your key vault.
• Full disk encryption has the advantage for the situations in which users might forget to encrypt sensitive files.
• The Azure AD App allows user to:
  Configure access rules

Interested in Microsoft Azure, Let’s CONNECT!