Protecting Data in Use: A Deep Dive into Azure Confidential VMs and HSM Encryption
Why Confidential Computing with HSM-Backed Keys Is Essential:
In today’s cloud-first world, protecting sensitive data during processing is just as critical as securing it at rest or in transit. Azure Confidential Computing (ACC) Virtual Machines, when combined with Hardware Security Module (HSM)-backed Customer-Managed Keys (CMKs), provide a robust solution for organizations with strict security and compliance requirements.
In this blog, we’ll explore a scenario and walk through a step-by-step solution to meet these advanced data protection needs.
Scenario:
Customer needs a highly sensitive application – May be its processing financial transactions, handling healthcare data or supporting a government workload. Customer demands not only high performance and isolation, but also complete encryption backed by Hardware Security Models (HSM)
Solution:
Components:
- Azure Confidential Computing Virtual Machine (ACC VM)
- Key Vault Premium (HSM Backed Key)
- Key Vault Key (CMK)
- Disk Encryption Set
ACC VM with HSM CMK disk encryption
Azure Confidential Computing (ACC) VMs are designed to protect data in use by performing computations in a hardware-based Trusted Execution Environment (TEE). This ensures that data remains secure even when it is being processed. Disk Encryption with HSM (Hardware Security Module) involves using HSM-backed keys stored in Azure Key Vault to encrypt the disks of your VMs. This provides an additional layer of security by ensuring that encryption keys are stored in a highly secure environment
Importance of Confidential VMs
Confidential VMs are crucial for organizations that handle sensitive data and require enhanced security measures. They provide the following benefits:
- Data Protection: Confidential VMs protect data in use, ensuring that it remains secure even during processing.
- Compliance: They help organizations meet regulatory and compliance requirements by providing robust security measures.
- Trust: By using hardware-based TEEs, Confidential VMs build trust with customers and stakeholders by ensuring that data is protected at all times
- Confidential VM Disk Encryption: Confidential VM OS Disk Encryption with Customer-Managed Keys (CMK) using Key Vault Premium tier backed Hardware Security Module (HSM) key provides enhanced security for virtual machines (VMs). This guide will walk you through the steps to configure confidential vm os disk Encryption with Key Vault Premium (HSM Backed Key)
The following resources must be created in sequence to deploy Azure Confidential Computing (ACC) VMs with OS disk encryption using HSM-backed Customer-Managed Keys (CMKs)
- Key Vault with Premium Pricing Tier(HSM Backed Key)
- Disk Encryption Set utilizing HSM key
- Azure Confidential VM with Disk Encryption Set
Prerequisites to create ACC VM
1. An Azure subscription. Free trial accounts don't support confidential VM.
2. To set up Confidential disk encryption with a customer-managed key, execute the command below to opt in the Confidential VM Orchestrator service principal to your tenant.
Connect-Graph -Tenant "your tenant ID" Application.ReadWrite.All
New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"
3. Ensure that your subscription includes the following sizes, as Confidential VMs are supports these VM sizes only
- General Purpose without local disk: DCasv5-series, DCesv5-series
- General Purpose with local disk: DCadsv5-series, DCedsv5-series
- Memory Optimized without local disk: ECasv5-series, ECesv5-series
- Memory Optimized with local disk: ECadsv5-series, ECedsv5-series
- NVIDIA H100 Tensor Core GPU powered NCCadsH100v5-series
4. OS images for confidential VMs must meet specific security requirements to support a confidential OS disk encryption and ensure isolation from the underlying cloud infrastructure. Refer to the following link for the most up-to-date list of supported OS images for Azure Confidential Computing (ACC) VMs:
Steps to Configure Azure Disk Encryption Set with Key Vault Supported HSM
Step 1: Create a Key Vault with Premium Pricing Tier
1. Create Key Vault: Use the following command to create a Key Vault with the Premium pricing tier, which supports HSM-backed keys.
az keyvault create --name <keyvaultName> --resource-group <resourceGroupName> --location <location> --sku premium --enable-rbac-authorization false2. Enable Purge Protection: Enable purge protection to add an extra layer of security.
az keyvault update --name <keyvaultName> --resource-group <resourceGroupName> --enable-purge-protection true3. Configure Access Policy: Set the access policy to allow necessary permissions to user Manged identity. If you don’t have any user managed identity you can create one.
az keyvault set-policy --name <keyvaultName> --object-id <user-managed-identity-object-id> --secret-permissions get list --key-permissions get list --certificate-permissions get list4. Create HSM-backed Key: Create an HSM-backed CMK key in the Key Vault.
az keyvault key create --vault-name <keyvaultName> --name <KeyName> --protection hsm
Step 2: Create a Disk Encryption Set
1. Create Disk Encryption Set: Use the following command to create a Disk Encryption Set that will use the HSM-backed key.
az disk-encryption-set create --resource-group <resourceGroupName> --name <diskEncryptionSetName> --key-url <https://<vaultEndpoint>/keys/<keyName>/<keyVersion>> --source-vault <KeyVaultName>2. Grant Permissions: Grant necessary permissions to the Disk Encryption Set.
az keyvault set-policy --name <keyvaultName> --resource-group <KeyVault Resource Group Name> --object-id $(az disk-encryption-set show --resource-group <rg of diskEncryptionSet> --name <diskEncryptionSetName> --query "identity.principalId" -o tsv) --key-permissions wrapKey unwrapKey getBest Practices
- Use Purge Protection: Always enable purge protection for your Key Vault to prevent accidental or malicious deletion of keys.
- Monitor and Audit: Continuously monitor and audit access to your Key Vault and encryption keys to detect any unauthorized access.
By following these steps and best practices, you can ensure that your data is securely encrypted using Azure Disk Encryption with Key Vault's HSM-backed keys
Step3: Azure Confidential Computing VM Creation and Disk Encryption with HSM Key
Create the ACC VM: Use the following command to create an ACC VM and encrypt OS disk with diskEncryptionSet.
az vm create --resource-group <RG of VM> --name <VM_Name> --image <Image name from supported list of os image ex. "Canonical:0001-com-ubuntu-confidential-vm-jammy:22_04-lts-cvm:latest"> --size <confidential vm supported size, ex. Standard_DC64ads_v5> --admin-username <UserName> --generate-ssh-keys --enable-vtpm true --public-ip-sku Standard --security-type ConfidentialVM --os-disk-security-encryption-type DiskWithVMGuestState --os-disk-encryption-set $(az disk-encryption-set show --resource-group <rg name diskEncryptionSet> --name <diskEncryptionSet name> --query id -o tsv)
By following these steps, you can create an Azure Confidential Computing VM and encrypt its Operating System (OS disk) using the Disk Encryption Set created earlier.
Common Questions for Azure Confidential virtual Machine
1. Custom Image can be used for confidential virtual machine (CVM)?
Ans: Yes, custom image can use for CVM. Kindly refer => Create a custom image for Azure confidential VMs | Microsoft Learn
2. What Disk SKU and encryption can be used for OS, TEMP, and DATA Disks in CVM with CMK?
Ans:
- For Azure Confidential VMs, the supported disk SKUs are primarily within the "DCasv5" and "ECasv5" series. Supported VM SKUs are => Azure Confidential VM options | Microsoft Learn
- Confidential OS disk encryption => About Azure confidential VMs | Microsoft Learn
- Confidential temp disk encryption => About Azure confidential VMs | Microsoft Learn
3. Is CVM Backup supported in Azure backup?
Ans: Backup of ACC is not supported in Azure as of now
Microsoft