Oct 28 2017
01:02 AM
- last edited on
May 24 2021
03:26 PM
by
TechCommunityAP
Oct 28 2017
01:02 AM
- last edited on
May 24 2021
03:26 PM
by
TechCommunityAP
I am trying to understand the integration between Azure key vault and Virtual Machine disk encryption.
When I Use this command to encrypt the O.S drive for a VM:
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID
I can see in my key vault that there is the BEK under [secrets] section inside the vault. Which makes sense, as this is the actual key used to do the symmetric disk encryption.
Now, I want to use the KEK as well to wrap the symmetric key. To do that, I will go to key vault, create a KEY, which will create an RSA Asymmetric key under the [Key] section inside the key vault. Now I run this command to encrypt a drive in a VM specifying KEK.
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID -KeyEncryptionKeyUrl "https://virtualmachinekv2.vault.azure.net/keys/KEK/0894977d6da14e50b6f170d34c9e0277" -KeyEncryptionKeyVaultId $kv_id
Now the disk is encrytped, but in the key vault, I cannot see any BEK generated under [secrets] section of my vault. So what just happened? where is my BEK?