Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Virtual Machine encryption with KEK and BEK

Iron Contributor

I am trying to understand the integration between Azure key vault and Virtual Machine disk encryption.

 

When I Use this command to encrypt the O.S drive for a VM:

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID

 

I can see in my key vault that there is the BEK under [secrets] section inside the vault. Which makes sense, as this is the actual key used to do the symmetric disk encryption.

 

Now, I want to use the KEK as well to wrap the symmetric key. To do that, I will go to key vault, create a KEY, which will create an RSA Asymmetric key under the [Key] section inside the key vault. Now I run this command to encrypt a drive in a VM specifying KEK.

 

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID -KeyEncryptionKeyUrl "https://virtualmachinekv2.vault.azure.net/keys/KEK/0894977d6da14e50b6f170d34c9e0277" -KeyEncryptionKeyVaultId $kv_id

 

Now the disk is encrytped, but in the key vault, I cannot see any BEK generated under [secrets] section of my vault. So what just happened? where is my BEK?

 

0 Replies