iCompaas Support

 Profile Applicability:

• Level 2

Description:

This check ensures that Virtual Hard Disks (VHDs) used in Azure are encrypted. Encryption of VHDs helps protect data stored on the disks by ensuring that sensitive information is not accessible to unauthorized users or systems. This encryption can be applied at both the operating system (OS) disk and data disks for virtual machines (VMs) in Azure.

Rationale:

VHDs may contain sensitive data, and unencrypted VHDs expose that data to potential risks, such as unauthorized access or data theft. By encrypting VHDs, the data is secured both at rest and during movement, protecting it from unauthorized access even if the physical disks are compromised. Azure provides platform-managed encryption (PMK) by default, but it’s crucial to ensure that encryption with Customer Managed Keys (CMK) is applied if a higher level of control is needed.

Impact:

Pros:

• Ensures data is encrypted at rest, preventing unauthorized access in case of disk theft or compromise.
  

• Meets regulatory and compliance requirements such as HIPAA, PCI-DSS, or ISO 27001.
  

• Provides a higher level of security by controlling encryption keys (if using CMK).
  

Cons:

• Requires the management of encryption keys if using Customer Managed Keys (CMK), adding administrative overhead.
  

• May introduce slight performance overhead due to encryption and decryption operations, though this is typically minimal.
  

Default Value:

By default, Azure uses platform-managed keys (PMK) to encrypt VHDs. Customer Managed Keys (CMK) must be manually configured if required for additional control over encryption key management.

Pre-requisites:

• Ensure that Azure Key Vault is set up and configured if Customer Managed Keys (CMK) are required.
  

• Ensure that proper permissions and policies are in place to manage and access the encryption keys for CMK.
  

• Confirm that the VHDs (OS and Data disks) are identified and available for encryption configuration.
  

Test Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to the Virtual Machines blade and select the VM associated with the VHDs you want to check.
   

3. Under the  Settings section, click on Disks
   

4. Verify that the OS Disk and any Data Disks have encryption enabled. If Customer Managed Keys (CMK) are used, it should be indicated in the encryption settings.
   

5. If CMK is enabled, ensure the Key Vault and the specific encryption key are correctly referenced.
   

Using Azure CLI:

To check if VHDs (OS and Data disks) are encrypted, run the following command:

az vm show --resource-group <RESOURCE_GROUP_NAME> --name <VM_NAME> --query "storageProfile.osDisk.managedDisk.encryption"

1. If using CMK, the encryption field should show EncryptionWithCustomerKey.
   

Implementation Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to the Virtual Machines blade and select the VM for which you want to configure VHD encryption.
   

3. Under the Settings section, click on Disks.
   

4. Select the OS Disk or Data Disk and in the Encryption section, choose Customer Managed Key (CMK) if required.
   

5. Select the Key Vault and Encryption Key to be used for the disk encryption.
   

6. Click Save to apply the encryption settings.
   

Using Azure CLI:

To enable CMK-based encryption on a VHD (OS or Data disk), use the following command:

az vm encryption enable --resource-group <RESOURCE_GROUP_NAME> --name <VM_NAME> --disk-encryption-keyvault <KEYVAULT_NAME> --key-encryption-key <KEY_ID>

After enabling encryption, check the disk encryption status with:

az vm show --resource-group <RESOURCE_GROUP_NAME> --name <VM_NAME> --query "storageProfile.osDisk.managedDisk.encryption"

Backout Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to the Virtual Machines blade and select the VM for which you want to disable encryption.
   

3. Under the Settings section, click on Disks.
   

4. In the Encryption section, set Encryption Type to Platform Managed Key (PMK) or remove the CMK configuration entirely.
   

5. Click Save to apply the changes.
   

Using Azure CLI:

To revert the encryption to platform-managed keys (PMK), use the following command:

az vm encryption disable --resource-group <RESOURCE_GROUP_NAME> --name <VM_NAME>

References:

• Azure Disk Encryption with Customer Managed Keys
  

• Azure Key Vault Overview
  Managing Encryption for Virtual Machines