Virtual Machine encryption with KEK and BEK


I am trying to understand the integration between Azure key vault and Virtual Machine disk encryption.


When I Use this command to encrypt the O.S drive for a VM:

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID


I can see in my key vault that there is the BEK under [secrets] section inside the vault. Which makes sense, as this is the actual key used to do the symmetric disk encryption.


Now, I want to use the KEK as well to wrap the symmetric key. To do that, I will go to key vault, create a KEY, which will create an RSA Asymmetric key under the [Key] section inside the key vault. Now I run this command to encrypt a drive in a VM specifying KEK.


Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID -KeyEncryptionKeyUrl "" -KeyEncryptionKeyVaultId $kv_id


Now the disk is encrytped, but in the key vault, I cannot see any BEK generated under [secrets] section of my vault. So what just happened? where is my BEK?


0 Replies