Disk encryption is a basic data protection method for physical & virtual hard disks. It falls under physical data security and it prevents data breaches from stolen hard disks (physical & virtual).
Similar to on-premises Windows servers and computers, we can use BitLocker to encrypt Windows VM running on Azure. For Linux VMs, we can use DM-Crypt to encrypt virtual disks. More details about BitLocker is available here on Microsoft Docs. Azure VM encryption uses the Azure Key Vault to store encryption keys and secrets.
In this post, I am going to demonstrate how we can encrypt Azure Linux VM.
Be sure your Azure VM configurations comply with following prior to moving forward:
Azure disk encryption for Linux VM is only going to work if you are running Azure-endorsed Linux distribution such as,
Ubuntu 14.04.5, 16.04, 18.04
RHEL 6.7, 6.8, 7.2, 7.3, 7.4, 7.5, 7.6
CentOS 6.8, 7.2n, 7.3, 7.4, 7.5, 7.6
SLES 12-SP3, 12-SP4
If you encrypting OS & Data volume in Linux VM and itsroot(/) file system usage is 4GB or less you need a minimum of 8GB Ram. Also, if root (/) file system usage is more than 4GB, it needs2 * (/root file system usage). This is only required during the initial encryption process.
Azure Linux VM must havedm-crypt&vfatmodules running.
Data disks of Linux VM (which required encryption) must be listed under/etc/fstabcorrectly.
In the above,REBELVMKV1is the key vault name and it is created underREBELRG1resource group which we created in the previous step.-EnabledForDiskEncryptionis used to prepare the key vault to use with disk encryption.
3. Then we need to create access policy so currently logged in user can create encryption keys.
In aboveobjectidshould replace with the actualobjectidvalue of the currently logged in global admin account. In here-PermissionsToKeysdefine the permissions allocated for keys and-PermissionsToSecretsdefines the permissions allocated for secrets.
4. Now we need a new encryption key to use with disk encryption.
In the above,REBELVMKeyis the key name. -Destination is defined as Software as we creating the standard encryption key. If required it can be set to Hardware Security Model (HSM) but it comes with additional cost.
Step 4: Create VM
In this demo, I am going to create a new VM for encryption testing. It is not a must; we still can encrypt any existing VM.