iCompaas Support

 Profile Applicability:

• Level 2

Description:

This check ensures that the operating system (OS) and data disks of Azure Virtual Machines (VMs) are encrypted using a Customer Managed Key (CMK). CMK allows organizations to control the encryption keys used to protect data, enhancing security by providing control over key management and compliance with specific regulatory requirements.

Rationale:

Using Customer Managed Keys for encryption provides enhanced security by allowing organizations to control access to encryption keys. This approach ensures that sensitive data stored on OS and data disks is encrypted using keys managed by the organization, meeting compliance standards such as PCI-DSS, HIPAA, and others that require control over encryption key access.

Impact:

Pros:

• Provides enhanced control over the encryption keys used for disk encryption.
  

• Helps meet regulatory and compliance requirements that mandate the use of customer-managed keys for data encryption.
  

• Increases security by enabling key rotation and revocation as part of the organization's security policies.
  

Cons:

• Requires additional configuration and management of encryption keys using Azure Key Vault.
  

• May introduce operational overhead in terms of key rotation and management.
  

• Potential costs for using Azure Key Vault for key management.
  

Default Value:

By default, Azure uses platform-managed keys for encrypting OS and data disks. Enabling encryption with Customer Managed Keys (CMK) requires manual configuration and the use of Azure Key Vault.

Pre-requisites:

Ensure that:

• You have an Azure Key Vault set up and configured with the required Customer Managed Keys.
  

• Appropriate access policies in Azure Key Vault are configured to allow the virtual machines to use the keys for encryption.
  

• The virtual machine's OS and data disks are set up to use encryption with CMK.
  

Test Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to the Virtual Machines blade.
   

3. Select the virtual machine you want to review.
   

4. Under the Settings section, click on Disks.
   

5. Check the OS Disk and Data Disks settings to confirm that Encryption is set to Customer Managed Key (CMK).
   

6. Verify that the Key Vault used for encryption is listed and that the disk encryption is configured with the correct key.
   

Using Azure CLI:

To check if the OS and data disks are encrypted with a Customer Managed Key, run the following command:

az vm show --resource-group <RESOURCE_GROUP_NAME> --name <VM_NAME> --query "storageProfile.osDisk.managedDisk.encryption"

1. Ensure that the encryption type is listed as Encryption with CMK and that the Key Vault and key are correctly referenced.
   

Implementation Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to Virtual Machines and select the VM you want to configure.
   

3. Under the Settings section, click on Disks.
   

4. Select the OS Disk or Data Disk you want to encrypt with a Customer Managed Key (CMK).
   

5. In the Encryption section, select Customer Managed Key (CMK).
   

6. Select the Key Vault and the Encryption Key you want to use from the drop-down.
   

7. Click Save to apply the encryption settings.
   

Using Azure CLI:

To enable CMK-based encryption on a disk, use the following command:

az vm encryption enable --resource-group <RESOURCE_GROUP_NAME> --name <VM_NAME> --disk-encryption-keyvault <KEYVAULT_NAME> --key-encryption-key <KEY_ID>

• Replace <KEYVAULT_NAME> with the name of your Key Vault.
  

• Replace <KEY_ID> with the ID of the Customer Managed Key in the Key Vault.
  

To confirm that the encryption has been applied, you can check the VM’s disk encryption status with the following command:

az vm show --resource-group <RESOURCE_GROUP_NAME> --name <VM_NAME> --query "storageProfile.osDisk.managedDisk.encryption"

Backout Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to Virtual Machines and select the VM you want to revert.
   

3. Under the Settings section, click on Disks.
   

4. Select the OS Disk or Data Disk you want to disable encryption for.
   

5. In the Encryption section, select Use Platform Managed Key.
   

6. Click Save to apply the changes.
   

Using Azure CLI:

To revert the encryption to platform-managed keys, run the following command:

az vm encryption disable --resource-group <RESOURCE_GROUP_NAME> --name <VM_NAME>

References:

• Azure Disk Encryption with Customer Managed Keys
  
• Azure Key Vault Overview
• VM Encryption with CMK in Azure CLI