Disk encryption isn’t new thing in Azure. Storage Service Encryption with BYOK was published somewhere in 2017. I wrote this blog because it was extremely difficult to find information how BYOK model encryption actually works in case of Virtual Machines. 

There are two kinds of encryption to discuss in reference to managed disks.

  • The first one is Storage Service Encryption (SSE), which is performed by the storage service
  • The second one isAzure Disk Encryption, which can be enabled on the OS and data disks for VMs

Both options are available for encryption purposes with Microsoft-managed encryption keys with SSE or own (BYOK) encryption keys. 

Storage Service Encryption (SSE)

From docs.microsoft.com – SSE is enabled by default for all Managed Disks, Snapshots, and Images in all the regions where managed disks are available. Starting June 10th, 2017, all new managed disks/snapshots/images and new data written to existing managed disks are automatically encrypted-at-rest with keys managed by Microsoft by default.

Azure Disk Encryption (ADE) 

From docs.microsoft.com – Azure Disk Encryption allows to encrypt the OS and Data disks used by an IaaS Virtual Machine. 

  • For Windows, the drives are encrypted using industry-standard BitLocker encryption technology
  • For Linux, the disks are encrypted using the DM-Crypt technology. The encryption process is integrated with Azure Key Vault to allow you to control and manage the disk encryption keys

What’s the Difference Between SSE & ADE

Azure Disk Encryption provides integration between OS-based solutions like BitLocker and DM-Crypt and Azure Key Vault. Storage Service Encryption provides encryption natively at the Azure storage platform layer, below the virtual machine.

VM Encryption

By default, if using Azure Disk Encryption Microsoft managed keys are used for encryption. Disk encryption is using industry standard Bitlocker feature and the DM-Crypt feature to Linux toprovide volume encryption for the OS and data disks. This solution is integrated with Azure Key Vault to control and manage the disk-encryption keys. The solution also ensures that all data on the VM disks are encrypted at rest in Azure storage.

BYOK in Virtual Machine Encryption

When using Key Encryption Key – KEK (created at on-premises and protected with HSM) it’s important to understand that KEK is not used to encrypt/decrypt Virtual Machines OS or Data disks.

KEK adds additional layer of security for encryption key. When a key encryption key (KEK) is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to KeyVault.  This method is called envelope encryption.

Key wrapping is used when the Key Vault key is symmetric which is case with Bitlocker recovery keys. More information can be found from RFC3447.

In picture below highlighted secret is VM secret which is a wrapped BEK key.

Wrapped BEK where own key is used
VM disk is encrypted

Here is Microsoft picture how this key wrapping works


Key takeaway: when using BYOK model to encrypt VM’s own key is used to protect the encryption key, not to encrypt the data on VM disks.

This concludes this blog post and will be my last post at year 2018. Merry Christmas to all !