Azure Disk Encryption
Palette supports disk encryption for Azure IaaS clusters using Azure Disk Storage server-side encryption (SSE) and Azure encryption at host (EAH). By default, Azure encrypts all SSE-managed disks with PMK platform-managed keys (PMK); however, you can use customer-managed keys (CMK) through Azure Disk Encryption Sets (DES) instead of PMK, giving you greater control of your key-management.
SSE does not encrypt temporary disks or disk caches. To ensure end-to-end encryption, use EAH. SSE and EAH can be used independently or alongside one another. To leverage either or both encryption methods, you must use the Palette eXtended Kubernetes (PXK) pack.
The following table highlights use cases for each encryption method.
Feature | Server Side Encryption (SSE) | Encryption at Host (EAH) |
---|---|---|
Encryption Method | Encrypts your data stored on Azure-managed OS and data disks. Does not encrypt temporary disks or disk caches. | - EAH only - Encrypts temporary disks but not disk cache. - EAH + SSE - Encrypts temporary disks and disk cache, as well as managed disks. |
Management Keys | Supports CMK via DES. | Uses PMK for temporary disks and disk cache. Can use DES for managed disks when used with SSE. |
Special Requirements | - | Requires VM SKUs that support EncryptionAtHost capability. |
Default Configuration | Enabled by default with PMK. Can opt to provide CMK via DES in AzureMachineTemplate . | Disabled by default. |
Limitations
Azure Disk Encryption for Virtual Machines and Virtual Machine Scale Sets is not supported for any Azure cluster.
-
SSE and EAH are not supported for AKS clusters.
-
Palette eXtended Kubernetes (PXK) must be used in the Kubernetes layer of your cluster profile to use SSE or EAH.
-
If a key expires in Azure Key Vault, your cluster may experience operation failures. To resolve this, generate a new key in Azure Key Vault and update your disk encryption set to reference the new key. We recommend enabling auto key rotation on your disk encryption set so it can automatically use new key versions from Azure Key Vault.
infoNo changes are needed in Palette when a new key is created, as the PXK pack references the Uniform Resource Identifier (URI) of your disk encryption set, which remains unchanged.
-
(EAH only) Azure VMs compatible with EAH.
Azure CLI command to validate EAH VM compatibility
Use the following command to validate which VMs are compatible with EAH. Replace
<region-code>
with the region you will deploy your cluster in.az vm list-skus --location <region-code> --all \
--resource-type virtualMachines \
--query "[?capabilities[?name=='EncryptionAtHostSupported' && value=='True']].{VMName:name, EncryptionAtHost:capabilities[?name=='EncryptionAtHostSupported'].value | [0]}" \
--output tableTo limit your output to a specific VM family type, append
-grep --ignore-case <VM-family>
to the above command. Replace<VM-family>
with the applicable family type.
New Cluster Profile
Take the following steps to create a cluster profile with SSE or EAH enabled.
Prerequisites
-
An Azure user account with the following roles to create the Azure Key Vault and disk encryption set with the necessary Azure Key Vault access policies. For more information, visit Azure built-in roles for Key Vault data plane operations.
Task Required Role Create Azure Key Vault and key Key Vault Contributor Create disk encryption set and assign Azure Key Vault key Key Vault Administrator Assign Azure Key Vault access policies (GET, WRAP KEY, UNWRAP KEY) Key Vault Crypto Service Encryption User (Optional) Assign user-assigned managed identity to Azure Key Vault and disk encryption set Managed Identity Operator -
An Azure Key Vault with the following configuration:
- Resource access: Azure Virtual Machines for deployment
- Purge protection: Enable purge protection
-
A disk encryption set with the encryption type set to Encryption at-rest with a customer-managed key.
-
EAH enabled on Azure when using Encryption at Host.
-
The Azure Key Vault must have the following access policies assigned to the disk encryption set that you want to use:
- Key Management Operations: Get
- Cryptographic Operations: Unwrap Key, Wrap Key
If you have designated a user-assigned managed identity to the disk encryption set, assign the same access policies to the user-assigned managed identity in the Azure Key Vault.
Enable Disk Encryption
Use the following steps to enable disk encryption on a new cluster profile.
-
Log in to Palette.
-
Ensure you are in the correct project scope.
-
From the left main menu, select Profiles, then Add Cluster Profile.
-
Fill out the Basic Information for your cluster profile. Choose a cluster profile Type of Full or Infrastructure. Select Next.
-
Choose Azure IaaS for your Infrastructure Provider and select Next.
-
Choose your base OS pack and make any necessary modifications. Select Next layer when complete.
- Select Palette eXtended Kubernetes (PXK) as your Kubernetes pack.
- On the Configure Pack drawer, below Pack Details, select Values, and click the </> button to display the YAML editor. Make the appropriate modifications based on your encryption method.
- SSE Only
- SSE + EAH
- EAH Only
-
On the right side of the editor, expand the Presets drop-down menu, and select Enable Encryption Using Customer-Managed Key to use CMK with SSE.
-
Scroll to the bottom of the YAML editor to view the additional configuration that was added.
cloud:
azure:
diskEncryptionSetID: "" -
Fill in the
diskEncryptionSetID
with the Resource ID URI of your disk encryption set.cloud:
azure:
diskEncryptionSetID: "/subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Compute/diskEncryptionSets/diskEncryptionSet"How to find the Resource ID URI of your disk encryption set
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Disk Encryption Sets resource.
-
On the Overview page, in the Essentials section, select JSON View to display the Resource ID for the disk encryption set.
-
Select the Copy to clipboard icon for the Resource ID and paste the ID into the
diskEncryptionSetID
field in the Palette YAML editor.
-
-
Make any other necessary changes and select Next.
-
Add the remaining storage and networking layers to your cluster profile, making changes where necessary. If you selected Full for your cluster profile Type, you have the option to add add-on layers as well.
-
Select Finish Configuration to save your cluster profile. For more information on creating cluster profiles, refer to our Create Cluster Profiles guide.
-
On the right side of the editor, expand the Presets drop-down menu, and select Enable Encryption Using Customer-Managed Key to use CMK with SSE.
-
Scroll to the bottom of the YAML editor to view the additional configuration that was added.
cloud:
azure:
diskEncryptionSetID: "" -
Fill in the
diskEncryptionSetID
with the Resource ID URI of your Disk Encryption Set.cloud:
azure:
diskEncryptionSetID: "/subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Compute/diskEncryptionSets/diskEncryptionSet"How to find the Resource ID URI of your disk encryption set
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Disk Encryption Sets resource.
-
On the Overview page, in the Essentials section, select JSON View to display the Resource ID for the disk encryption set.
-
Select the Copy to clipboard icon for the Resource ID and paste the ID into the
diskEncryptionSetID
field in the Palette YAML editor.
-
-
In the YAML editor, add a line after
diskEncryptionSetID
that hasencryptionAtHost: true
to enable EAH.cloud:
azure:
diskEncryptionSetID: "/subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Compute/diskEncryptionSets/diskEncryptionSet"
encryptionAtHost: true -
Make any other necessary changes and select Next.
-
Add the remaining storage and networking layers to your cluster profile, making changes where necessary. If you selected Full for your cluster profile Type, you have the option to add add-on layers as well.
-
Select Finish Configuration to save your cluster profile. For more information on creating cluster profiles, refer to our Create Cluster Profiles guide.
-
In the YAML editor, add
encryptionAtHost: true
at the bottom of the manifest to enable EAH.cloud:
azure:
encryptionAtHost: true -
Make any other necessary changes and select Next.
-
Add the remaining storage and networking layers to your cluster profile, making changes where necessary. If you selected Full for your cluster profile Type, you have the option to add add-on layers as well.
-
Select Finish Configuration to save your cluster profile. For more information on creating cluster profiles, refer to our Create Cluster Profiles guide.
You can now create a new Azure IaaS cluster with disk encryption enabled using this cluster profile. Once the cluster is created, you can validate disk encryption enablement.
Validate
Follow these steps to confirm that encryption is enabled on your Azure VM disks.
- Validating SSE
- Validating EAH
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Disks resource.
-
Locate and select a disk in your cluster using the search filters provided. One way to locate the applicable disks is to search for the cluster name, as the cluster name is prepended to all relevant resources (for example,
<cluster-name>-worker-pool-1-9d40-8rcx9_OSDisk
and<cluster-name>-cp-36298-7gqb9_OSDisk
). -
On the disk Overview page, select the Properties tab and scroll down to view the Encryption section. Ensure that the Encryption type shows Platform-managed key.
-
Scroll down to view the Properties tab and check that the Encryption section shows Customer-managed key for Encryption type.
-
Repeat steps 4 and 5 for each disk in your cluster.
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Virtual machines resource.
-
Locate and select a VM in your cluster using the search filters provided. One way to locate the applicable VMs is to search for the cluster name, as the cluster name is prepended to all relevant resources (for example,
<cluster-name>-worker-pool-1-9d40-8rcx9
and<cluster-name>-cp-36298-7gqb9
). -
On the VM Overview page, scroll down to view the Disk section. Ensure that the Encryption at Host section shows Disabled.
-
Repeat steps 3 and 4 for each VM in your cluster.
Active Cluster
Prerequisites
-
An Azure user account with the following roles to create the Azure Key Vault and disk encryption set with the necessary Azure Key Vault access policies. For more information, visit Azure built-in roles for Key Vault data plane operations.
Task Required Role Create Azure Key Vault and key Key Vault Contributor Create disk encryption set and assign Azure Key Vault key Key Vault Administrator Assign Azure Key Vault access policies (GET, WRAP KEY, UNWRAP KEY) Key Vault Crypto Service Encryption User (Optional) Assign user-assigned managed identity to Azure Key Vault and disk encryption set Managed Identity Operator -
An Azure Key Vault with the following configuration:
- Resource access: Azure Virtual Machines for deployment
- Purge protection: Enable purge protection
-
A disk encryption set with the encryption type set to Encryption at-rest with a customer-managed key.
-
EAH enabled on Azure when using Encryption at Host.
-
The Azure Key Vault must have the following access policies assigned to the disk encryption set that you want to use:
- Key Management Operations: Get
- Cryptographic Operations: Unwrap Key, Wrap Key
If you have designated a user-assigned managed identity to the disk encryption set, assign the same access policies to the user-assigned managed identity in the Azure Key Vault.
Enable Disk Encryption
Use the following steps to enable disk encryption on an active cluster by modifying an existing cluster profile.
Performing these steps will cause a full cluster repave.
-
Log in to Palette.
-
Ensure you are in the correct project scope.
-
From the left main Menu, select Profiles. Locate and select the cluster profile to edit.
-
Expand the version drop-down menu next to the cluster profile name, and select Create new version.
-
Enter a new semantic Version for the cluster profile. Select Confirm.
-
Select the PXK layer to view the Edit Pack drawer.
-
On the Edit Pack drawer, below Pack Details, select Values, and click the </> button to display the YAML editor. Make the appropriate modifications based on your encryption method.
- SSE Only
- SSE + EAH
- EAH Only
-
On the right side of the editor, expand the Presets drop-down menu, and select Enable Encryption Using Customer-Managed Key to use CMK with SSE.
-
Scroll to the bottom of the YAML editor to view the additional configuration that was added.
cloud:
azure:
diskEncryptionSetID: "" -
Fill in the
diskEncryptionSetID
with the Resource ID URI of your disk encryption set.cloud:
azure:
diskEncryptionSetID: "/subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Compute/diskEncryptionSets/diskEncryptionSet"How to find the Resource ID URI of your disk encryption set
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Disk Encryption Sets resource.
-
On the Overview page, in the Essentials section, select JSON View to display the Resource ID for the disk encryption set.
-
Select the Copy to clipboard icon for the Resource ID and paste the ID into the
diskEncryptionSetID
field in the Palette YAML editor.
-
-
Make any other necessary changes and select Confirm updates > Save Changes.
-
From the left main menu, select Clusters.
-
Locate and select the cluster you want to update.
-
On the Profile tab, expand the version drop-down menu, and under Infrastructure Layers, select the new version of your cluster profile that has disk encryption enabled.
-
Review & Save your changes, then select Review changes in Editor. If no additional changes are needed, Update your cluster.
-
On the right side of the editor, expand the Presets drop-down menu, and select Enable Encryption Using Customer-Managed Key to use CMK with SSE.
-
Scroll to the bottom of the YAML editor to view the additional configuration that was added.
cloud:
azure:
diskEncryptionSetID: "" -
Fill in the
diskEncryptionSetID
with the Resource ID URI of your Disk Encryption Set.cloud:
azure:
diskEncryptionSetID: "/subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Compute/diskEncryptionSets/diskEncryptionSet"How to find the Resource ID URI of your disk encryption set
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Disk Encryption Sets resource.
-
On the Overview page, in the Essentials section, select JSON View to display the Resource ID for the disk encryption set.
-
Select the Copy to clipboard icon for the Resource ID and paste the ID into the
diskEncryptionSetID
field in the Palette YAML editor.
-
-
In the YAML editor, add a line after
diskEncryptionSetID
that hasencryptionAtHost: true
to enable EAH.cloud:
azure:
diskEncryptionSetID: "/subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Compute/diskEncryptionSets/diskEncryptionSet"
encryptionAtHost: true -
Make any other necessary changes and select Confirm updates > Save Changes.
-
From the left main menu, select Clusters.
-
Locate and select the cluster you want to update.
-
On the Profile tab, expand the version drop-down menu, and under Infrastructure Layers, select the new version of your cluster profile that has disk encryption enabled.
-
Review & Save your changes, then select Review changes in Editor. If no additional changes are needed, Update your cluster.
-
In the YAML editor, add
encryptionAtHost: true
at the bottom of the manifest to enable EAH.cloud:
azure:
encryptionAtHost: true -
Make any other necessary changes and select Confirm updates > Save Changes.
-
From the left main menu, select Clusters.
-
Locate and select the cluster you want to update.
-
On the Profile tab, expand the version drop-down menu, and under Infrastructure Layers, select the new version of your cluster profile that has disk encryption enabled.
-
Review & Save your changes, then select Review changes in Editor. If no additional changes are needed, Update your cluster.
Your cluster will now update and a full cluster repave will occur. Wait until the update has completed before confirming that disk encryption is enabled.
Validate
Follow these steps to confirm that encryption is enabled on your Azure VM disks.
- Validating SSE
- Validating EAH
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Disks resource.
-
Locate and select a disk in your cluster using the search filters provided. One way to locate the applicable disks is to search for the cluster name, as the cluster name is prepended to all relevant resources (for example,
<cluster-name>-worker-pool-1-9d40-8rcx9_OSDisk
and<cluster-name>-cp-36298-7gqb9_OSDisk
). -
On the disk Overview page, select the Properties tab and scroll down to view the Encryption section. Ensure that the Encryption type shows Platform-managed key.
-
Scroll down to view the Properties tab and check that the Encryption section shows Customer-managed key for Encryption type.
-
Repeat steps 4 and 5 for each disk in your cluster.
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Virtual machines resource.
-
Locate and select a VM in your cluster using the search filters provided. One way to locate the applicable VMs is to search for the cluster name, as the cluster name is prepended to all relevant resources (for example,
<cluster-name>-worker-pool-1-9d40-8rcx9
and<cluster-name>-cp-36298-7gqb9
). -
On the VM Overview page, scroll down to view the Disk section. Ensure that the Encryption at Host section shows Disabled.
-
Repeat steps 3 and 4 for each VM in your cluster.
Disable Disk Encryption on an Active Cluster
Prerequisites
- An Azure user account with access to view disks in your resource group where the cluster resources are created (for example, Reader role).
Disable Disk Encryption
Use the following steps to disable disk encryption on an active cluster by modifying an existing cluster profile. The process to disable disk encryption is the same regardless of the encryption method used.
Performing these steps will cause a full cluster repave.
-
Log in to Palette.
-
Ensure you are in the correct project scope.
-
From the left main Menu, select Profiles. Locate and select the cluster profile to edit.
-
Expand the version drop-down menu next to the cluster profile name, and select Create new version.
-
Fill the Version field with a new version number.
-
Click Confirm.
-
Select the Kubernetes layer to view the Edit Pack drawer.
-
In Values, click the </> button to show the YAML editor.
- SSE Only
- SSE + EAH
- EAH Only
-
On the right-hand side, click the Presets drop-down Menu, and select the Disable Encryption Using Customer-Managed Key option.
-
Click Confirm updates.
-
Click Save Changes.
-
From the left Main Menu, select Clusters.
-
Find the cluster that you want to update and click on it.
-
Click the Profile tab.
-
Click the version drop-down Menu in Infrastructure Layers and select the version that has disk encryption disabled.
-
Click Review & Save, then click Review changes in Editor in the Changes Summary box.
-
Review the changes and click Update.
-
On the right-hand side, click the Presets drop-down Menu, and select the Disable Encryption Using Customer-Managed Key option.
-
In the YAML editor change
encryptionAtHost: true
toencryptionAtHost: false
.cloud:
azure:
encryptionAtHost: false -
Click Confirm updates.
-
Click Save Changes.
-
From the left Main Menu, select Clusters.
-
Find the cluster that you want to update and click on it.
-
Click the Profile tab.
-
Click the version drop-down Menu in Infrastructure Layers and select the version that has disk encryption disabled.
-
Click Review & Save, then click Review changes in Editor in the Changes Summary box.
-
Review the changes and click Update.
-
In the YAML editor change
encryptionAtHost: true
toencryptionAtHost: false
. -
Click Confirm updates.
-
Click Save Changes.
-
From the left Main Menu, select Clusters.
-
Locate and select the cluster you want to update.
-
On the Profile tab, expand the version drop-down menu, and under Infrastructure Layers, select the new version of your cluster profile that has disk encryption enabled.
-
Review & Save your changes, then select Review changes in Editor. If no additional changes are needed, Update your cluster.
Your cluster will now update and a full cluster repave will occur. Wait until the update has completed before confirming that disk encryption is disabled.
Validate
Follow these steps to validate the disablement of customer-managed key encryption on your Azure VM disks.
- Validating SSE
- Validating EAH
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Disks resource.
-
Locate and select a disk in your cluster using the search filters provided. One way to locate the applicable disks is to search for the cluster name, as the cluster name is prepended to all relevant resources (for example,
<cluster-name>-worker-pool-1-9d40-8rcx9_OSDisk
and<cluster-name>-cp-36298-7gqb9_OSDisk
). -
On the disk Overview page, select the Properties tab and scroll down to view the Encryption section. Ensure that the Encryption type shows Platform-managed key.
-
Scroll down to view the Properties tab and check that the Encryption section shows Customer-managed key for Encryption type.
-
Repeat steps 4 and 5 for each disk in your cluster.
-
Log in to the Azure Portal.
-
Use the search bar to locate and select the Virtual machines resource.
-
Locate and select a VM in your cluster using the search filters provided. One way to locate the applicable VMs is to search for the cluster name, as the cluster name is prepended to all relevant resources (for example,
<cluster-name>-worker-pool-1-9d40-8rcx9
and<cluster-name>-cp-36298-7gqb9
). -
On the VM Overview page, scroll down to view the Disk section. Ensure that the Encryption at Host section shows Disabled.
-
Repeat steps 3 and 4 for each VM in your cluster.