iCompaas Support

Profile Applicability:
 Level 2

Description:
 Azure Managed Lustre file systems support encryption at rest using Azure Storage Service Encryption. Configuring a Key Encryption Key (KEK) that is customer-managed enables enhanced control over the encryption keys protecting the file system data. This allows organizations to manage key rotation, revocation, and auditability through Azure Key Vault.

Rationale:
 Using customer-managed keys (CMK) for encryption keys improves security by delegating key control to the customer rather than Microsoft-managed keys. This supports strict compliance requirements, enables separation of duties, and allows for granular access management and audit logging of key usage.

Impact:

• Pros:
  

  • Full control over encryption key lifecycle including rotation and revocation.
    

  • Enhanced audit and compliance capabilities.
    

  • Supports separation of duties between key management and data access.
    

• Cons:
  

  • Requires proper configuration and ongoing management of Key Vault and keys.
    

  • Potential risk of data inaccessibility if keys are deleted or permissions misconfigured.
    

  • Additional operational overhead and possible costs associated with Azure Key Vault usage.
    

Default Value:
 By default, Azure Managed Lustre uses Microsoft-managed keys for encryption unless customer-managed keys are configured.

Pre-requisites:

• Azure Key Vault configured with appropriate customer-managed keys.
  

• Proper access policies granting the Lustre service access to the Key Vault keys.
  

• Permissions to configure encryption settings on the Managed Lustre file system.
  

Remediation

Test Plan:

Using Azure Portal:

1. Navigate to https://portal.azure.com.
   

2. Locate the Azure Managed Lustre file system resource.
   

3. Go to the Encryption or Security settings.
   

4. Verify that the Key Encryption Key is configured and points to a customer-managed key in Azure Key Vault.
   

Using Azure CLI:

1.Retrieve encryption settings for the Lustre file system:

az storage filesystem show --account-name <storage-account-name> --name <lustre-filesystem-name> --query encryption.keyVaultProperties

2. Confirm that the keyName and keyVaultUri fields reference a customer-managed key.

Implementation Plan

Using Azure Portal:

1. Create or select a Key Vault with the customer-managed key (CMK).
   

2. Assign access policies to allow the Lustre service identity to use the key.
   

3. Update the Managed Lustre file system encryption settings to use the CMK as the Key Encryption Key.
   

4. Save and validate the configuration.
   

Using Azure CLI:

1. Assign Key Vault permissions to the Lustre service principal:

az keyvault set-policy --name <keyvault-name> --object-id <lustre-service-principal-object-id> --key-permissions wrapKey unwrapKey get

2. Update the Lustre file system encryption settings to use the customer-managed key:

az storage filesystem update --account-name <storage-account-name> --name <lustre-filesystem-name> --encryption-key-vault-key-uri <key-vault-key-uri>

Backout Plan

Using Azure Portal:

1. Revert encryption settings to Microsoft-managed keys if necessary.
   

2. Remove or modify Key Vault access policies.
   

Using Azure CLI:

1. Reset encryption key to Microsoft-managed key:

az storage filesystem update --account-name <storage-account-name> --name <lustre-filesystem-name> --encryption-key-vault-key-uri ""

2. Adjust Key Vault policies accordingly.

References:

• Azure Managed Lustre Encryption Overview
  

• Azure Key Vault Documentation
  

• Storage Service Encryption with Customer-Managed Keys