Home

Virtual Machine encryption with KEK and BEK

%3CLINGO-SUB%20id%3D%22lingo-sub-121824%22%20slang%3D%22en-US%22%3EVirtual%20Machine%20encryption%20with%20KEK%20and%20BEK%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-121824%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20understand%20the%20integration%20between%20Azure%20key%20vault%20and%20Virtual%20Machine%20disk%20encryption.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20Use%20this%20command%20to%20encrypt%20the%20O.S%20drive%20for%20a%20VM%3A%3C%2FP%3E%3CP%3ESet-AzureRmVMDiskEncryptionExtension%20-ResourceGroupName%20%24rgName%20-VMName%20%24vmName%20-AadClientID%20%24appID%20-AadClientSecret%20%24aadClientSecret%20-DiskEncryptionKeyVaultUrl%20%24kvUri%20-DiskEncryptionKeyVaultId%20%24kvRID%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20see%20in%20my%20key%20vault%20that%20there%20is%20the%20BEK%20under%20%5Bsecrets%5D%20section%20inside%20the%20vault.%20Which%20makes%20sense%2C%20as%20this%20is%20the%20actual%20key%20used%20to%20do%20the%20symmetric%20disk%20encryption.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20I%20want%20to%20use%20the%20KEK%20as%20well%20to%20wrap%20the%20symmetric%20key.%20To%20do%20that%2C%20I%20will%20go%20to%20key%20vault%2C%20create%20a%20KEY%2C%20which%20will%20create%20an%20RSA%20Asymmetric%20key%20under%20the%20%5BKey%5D%20section%20inside%20the%20key%20vault.%20Now%20I%20run%20this%20command%20to%20encrypt%20a%20drive%20in%20a%20VM%20specifying%20KEK.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-AzureRmVMDiskEncryptionExtension%20-ResourceGroupName%20%24rgName%20-VMName%20%24vmName%20-AadClientID%20%24appID%20-AadClientSecret%20%24aadClientSecret%20-DiskEncryptionKeyVaultUrl%20%24kvUri%20-DiskEncryptionKeyVaultId%20%24kvRID%20-KeyEncryptionKeyUrl%20%22%3CA%20href%3D%22https%3A%2F%2Fvirtualmachinekv2.vault.azure.net%2Fkeys%2FKEK%2F0894977d6da14e50b6f170d34c9e0277%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fvirtualmachinekv2.vault.azure.net%2Fkeys%2FKEK%2F0894977d6da14e50b6f170d34c9e0277%3C%2FA%3E%22%20-KeyEncryptionKeyVaultId%20%24kv_id%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20the%20disk%20is%20encrytped%2C%20but%20in%20the%20key%20vault%2C%20I%20cannot%20see%20any%20BEK%20generated%20under%20%5Bsecrets%5D%20section%20of%20my%20vault.%20So%20what%20just%20happened%3F%20where%20is%20my%20BEK%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-121824%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EKey%20Vault%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Ammar Hasayen
MVP

I am trying to understand the integration between Azure key vault and Virtual Machine disk encryption.

 

When I Use this command to encrypt the O.S drive for a VM:

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID

 

I can see in my key vault that there is the BEK under [secrets] section inside the vault. Which makes sense, as this is the actual key used to do the symmetric disk encryption.

 

Now, I want to use the KEK as well to wrap the symmetric key. To do that, I will go to key vault, create a KEY, which will create an RSA Asymmetric key under the [Key] section inside the key vault. Now I run this command to encrypt a drive in a VM specifying KEK.

 

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID -KeyEncryptionKeyUrl "https://virtualmachinekv2.vault.azure.net/keys/KEK/0894977d6da14e50b6f170d34c9e0277" -KeyEncryptionKeyVaultId $kv_id

 

Now the disk is encrytped, but in the key vault, I cannot see any BEK generated under [secrets] section of my vault. So what just happened? where is my BEK?

 

Related Conversations