Azure Disk Encryption for Data Disk on Linux
Whats and Hows to Linux Data Disk Encryption
When configuring a new Linux Virtual Machine (VM) you may think your data is stored on Azure hardware which means its encrypted so no further encryption method is needed. It's true Microsoft encrypts its data but this is at rest, meaning it is protected at the hardware level when there is a physical attack. Other than this, there is no logical encryption of the data disk, leaving you vulnerable if someone was able to download the disk. What I will cover in this post is what type of encryption does Azure uses for Linux Data Disks and how to enable this and attach to a VM.
What encryption method is used
The Azure platform uses DM-Crypt to encrypt Linux VM data. This is the only method available from Azure when encrypting Linux data.
How does the encryption key generate and where is it stored
As encryption is a supported method offered by Microsoft, the Azure platform integrated data disk encryption with Azure Key Vault. As part of the encryption process, you will be asked to select a Key Vault (or create a new one) and select or create the key that will be used for the encryption.
Are there prerequisites
There are a couple requirements you must meet to be able to configure encryption on a data disk:
The Linux virtual machine must have at least 2GB of RAM (8GB if you are doing both OS and Data Disk).
The OS must be one of the supported operating systems Microsoft outlined in their documentation.
You will need to mount the data disk in advance of encryption so the virtual machine can mount after encryption is enabled. You can follow Microsoft's documented approach to this here.
The Azure Key Vault you use must have Enable Access to Azure Disk Encryption for volume encryption policy enabled. If not, the Key Vault used for the procedure below will not work.
How to enable encryption using the Azure Portal
Make sure you first mount the data disk to the virtual machine and turn it off ready for encryption to start. When ready, follow these steps:
- Open the Virtual Machine resource
- Select Disks from the left side menu
- Select Additional Settings from the top of the window
- From the Disk to encrypt drop down, select Data disks
- Select the Click to select a key option that appeared after the above step completed
- Here complete the fields, either by select an existing Key Vault or creating a new. Once done, click the Select* button
- You will return to the configuration window to finish by selecting Save
How to enable encryption using Azure CLI
Run the following command
az vm encryption enable -g "ResourceGroupName" --name "LinuxVMName" --disk-encryption-keyvault "NameOfKeyVault" --volume-type DATA
Replace the following values with your own:
ResourceGroupName - The name of the resource group that the Linux VM is.
LinuxVMName - Name of the Linux VM where the data disk will be encrypted
NameOfKeyVault - Key Vault name you are using for storing the encryption key