Skip to main content
Version: latest

Azure Disk Encryption

Palette supports disk encryption for Azure IaaS clusters using Azure Disk Storage server-side encryption (SSE) and Azure encryption at host (EAH). By default, Azure encrypts all SSE-managed disks with PMK platform-managed keys (PMK); however, you can use customer-managed keys (CMK) through Azure Disk Encryption Sets (DES) instead of PMK, giving you greater control of your key-management.

SSE does not encrypt temporary disks or disk caches. To ensure end-to-end encryption, use EAH. SSE and EAH can be used independently or alongside one another. To leverage either or both encryption methods, you must use the Palette eXtended Kubernetes (PXK) pack.

The following table highlights use cases for each encryption method.

FeatureServer Side Encryption (SSE)Encryption at Host (EAH)
Encryption MethodEncrypts your data stored on Azure-managed OS and data disks. Does not encrypt temporary disks or disk caches.- EAH only - Encrypts temporary disks but not disk cache.
- EAH + SSE - Encrypts temporary disks and disk cache, as well as managed disks.
Management KeysSupports CMK via DES.Uses PMK for temporary disks and disk cache. Can use DES for managed disks when used with SSE.
Special Requirements-Requires VM SKUs that support EncryptionAtHost capability.
Default ConfigurationEnabled by default with PMK. Can opt to provide CMK via DES in AzureMachineTemplate.Disabled by default.

Limitations

warning

Azure Disk Encryption for Virtual Machines and Virtual Machine Scale Sets is not supported for any Azure cluster.

  • SSE and EAH are not supported for AKS clusters.

  • Palette eXtended Kubernetes (PXK) must be used in the Kubernetes layer of your cluster profile to use SSE or EAH.

  • If a key expires in Azure Key Vault, your cluster may experience operation failures. To resolve this, generate a new key in Azure Key Vault and update your disk encryption set to reference the new key. We recommend enabling auto key rotation on your disk encryption set so it can automatically use new key versions from Azure Key Vault.

    info

    No changes are needed in Palette when a new key is created, as the PXK pack references the Uniform Resource Identifier (URI) of your disk encryption set, which remains unchanged.

  • (EAH only) Azure VMs compatible with EAH.

    Azure CLI command to validate EAH VM compatibility

    Use the following command to validate which VMs are compatible with EAH. Replace <region-code> with the region you will deploy your cluster in.

    az vm list-skus --location <region-code> --all \
    --resource-type virtualMachines \
    --query "[?capabilities[?name=='EncryptionAtHostSupported' && value=='True']].{VMName:name, EncryptionAtHost:capabilities[?name=='EncryptionAtHostSupported'].value | [0]}" \
    --output table

    To limit your output to a specific VM family type, append -grep --ignore-case <VM-family> to the above command. Replace <VM-family> with the applicable family type.

New Cluster Profile

Take the following steps to create a cluster profile with SSE or EAH enabled.

Prerequisites

  • An Azure user account with the following roles to create the Azure Key Vault and disk encryption set with the necessary Azure Key Vault access policies. For more information, visit Azure built-in roles for Key Vault data plane operations.

    TaskRequired Role
    Create Azure Key Vault and keyKey Vault Contributor
    Create disk encryption set and assign Azure Key Vault keyKey Vault Administrator
    Assign Azure Key Vault access policies (GET, WRAP KEY, UNWRAP KEY)Key Vault Crypto Service Encryption User
    (Optional) Assign user-assigned managed identity to Azure Key Vault and disk encryption setManaged Identity Operator

  • An Azure Key Vault with the following configuration:

    • Resource access: Azure Virtual Machines for deployment
    • Purge protection: Enable purge protection

  • A disk encryption set with the encryption type set to Encryption at-rest with a customer-managed key.

  • EAH enabled on Azure when using Encryption at Host.

  • The Azure Key Vault must have the following access policies assigned to the disk encryption set that you want to use:

    • Key Management Operations: Get
    • Cryptographic Operations: Unwrap Key, Wrap Key

    If you have designated a user-assigned managed identity to the disk encryption set, assign the same access policies to the user-assigned managed identity in the Azure Key Vault.

Enable Disk Encryption

Use the following steps to enable disk encryption on a new cluster profile.

  1. Log in to Palette.

  2. Ensure you are in the correct project scope.

  3. From the left main menu, select Profiles, then Add Cluster Profile.

  4. Fill out the Basic Information for your cluster profile. Choose a cluster profile Type of Full or Infrastructure. Select Next.

  5. Choose Azure IaaS for your Infrastructure Provider and select Next.

  6. Choose your base OS pack and make any necessary modifications. Select Next layer when complete.

  1. Select Palette eXtended Kubernetes (PXK) as your Kubernetes pack.
  1. On the Configure Pack drawer, below Pack Details, select Values, and click the </> button to display the YAML editor. Make the appropriate modifications based on your encryption method.

  1. On the right side of the editor, expand the Presets drop-down menu, and select Enable Encryption Using Customer-Managed Key to use CMK with SSE.

  2. Scroll to the bottom of the YAML editor to view the additional configuration that was added.

    cloud:
      azure:
        diskEncryptionSetID: ""

  3. Fill in the diskEncryptionSetID with the Resource ID URI of your disk encryption set.

    cloud:
      azure:
        diskEncryptionSetID: "/subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Compute/diskEncryptionSets/diskEncryptionSet"
    How to find the Resource ID URI of your disk encryption set

    1. Log in to the Azure Portal.

    2. Use the search bar to locate and select the Disk Encryption Sets resource.

    3. On the Overview page, in the Essentials section, select JSON View to display the Resource ID for the disk encryption set.

    4. Select the Copy to clipboard icon for the Resource ID and paste the ID into the diskEncryptionSetID field in the Palette YAML editor.

  4. Make any other necessary changes and select Next.

  5. Add the remaining storage and networking layers to your cluster profile, making changes where necessary. If you selected Full for your cluster profile Type, you have the option to add add-on layers as well.

  6. Select Finish Configuration to save your cluster profile. For more information on creating cluster profiles, refer to our Create Cluster Profiles guide.

You can now create a new Azure IaaS cluster with disk encryption enabled using this cluster profile. Once the cluster is created, you can validate disk encryption enablement.

Validate

Follow these steps to confirm that encryption is enabled on your Azure VM disks.

  1. Log in to the Azure Portal.

  2. Use the search bar to locate and select the Disks resource.

  3. Locate and select a disk in your cluster using the search filters provided. One way to locate the applicable disks is to search for the cluster name, as the cluster name is prepended to all relevant resources (for example, <cluster-name>-worker-pool-1-9d40-8rcx9_OSDisk and <cluster-name>-cp-36298-7gqb9_OSDisk).

  4. On the disk Overview page, select the Properties tab and scroll down to view the Encryption section. Ensure that the Encryption type shows Platform-managed key.

  5. Scroll down to view the Properties tab and check that the Encryption section shows Customer-managed key for Encryption type.

  6. Repeat steps 4 and 5 for each disk in your cluster.

Active Cluster

Prerequisites

  • An Azure user account with the following roles to create the Azure Key Vault and disk encryption set with the necessary Azure Key Vault access policies. For more information, visit Azure built-in roles for Key Vault data plane operations.

    TaskRequired Role
    Create Azure Key Vault and keyKey Vault Contributor
    Create disk encryption set and assign Azure Key Vault keyKey Vault Administrator
    Assign Azure Key Vault access policies (GET, WRAP KEY, UNWRAP KEY)Key Vault Crypto Service Encryption User
    (Optional) Assign user-assigned managed identity to Azure Key Vault and disk encryption setManaged Identity Operator

  • An Azure Key Vault with the following configuration:

    • Resource access: Azure Virtual Machines for deployment
    • Purge protection: Enable purge protection

  • A disk encryption set with the encryption type set to Encryption at-rest with a customer-managed key.

  • EAH enabled on Azure when using Encryption at Host.

  • The Azure Key Vault must have the following access policies assigned to the disk encryption set that you want to use:

    • Key Management Operations: Get
    • Cryptographic Operations: Unwrap Key, Wrap Key

    If you have designated a user-assigned managed identity to the disk encryption set, assign the same access policies to the user-assigned managed identity in the Azure Key Vault.

Enable Disk Encryption

Use the following steps to enable disk encryption on an active cluster by modifying an existing cluster profile.

warning

Performing these steps will cause a full cluster repave.

  1. Log in to Palette.

  2. Ensure you are in the correct project scope.

  3. From the left main Menu, select Profiles. Locate and select the cluster profile to edit.

  4. Expand the version drop-down menu next to the cluster profile name, and select Create new version.

  5. Enter a new semantic Version for the cluster profile. Select Confirm.

  6. Select the PXK layer to view the Edit Pack drawer.

  7. On the Edit Pack drawer, below Pack Details, select Values, and click the </> button to display the YAML editor. Make the appropriate modifications based on your encryption method.

  1. On the right side of the editor, expand the Presets drop-down menu, and select Enable Encryption Using Customer-Managed Key to use CMK with SSE.

  2. Scroll to the bottom of the YAML editor to view the additional configuration that was added.

    cloud:
      azure:
        diskEncryptionSetID: ""

  3. Fill in the diskEncryptionSetID with the Resource ID URI of your disk encryption set.

    cloud:
      azure:
        diskEncryptionSetID: "/subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Compute/diskEncryptionSets/diskEncryptionSet"
    How to find the Resource ID URI of your disk encryption set

    1. Log in to the Azure Portal.

    2. Use the search bar to locate and select the Disk Encryption Sets resource.

    3. On the Overview page, in the Essentials section, select JSON View to display the Resource ID for the disk encryption set.

    4. Select the Copy to clipboard icon for the Resource ID and paste the ID into the diskEncryptionSetID field in the Palette YAML editor.

  4. Make any other necessary changes and select Confirm updates > Save Changes.

  5. From the left main menu, select Clusters.

  6. Locate and select the cluster you want to update.

  7. On the Profile tab, expand the version drop-down menu, and under Infrastructure Layers, select the new version of your cluster profile that has disk encryption enabled.

  8. Review & Save your changes, then select Review changes in Editor. If no additional changes are needed, Update your cluster.

Your cluster will now update and a full cluster repave will occur. Wait until the update has completed before confirming that disk encryption is enabled.

Validate

Follow these steps to confirm that encryption is enabled on your Azure VM disks.

  1. Log in to the Azure Portal.

  2. Use the search bar to locate and select the Disks resource.

  3. Locate and select a disk in your cluster using the search filters provided. One way to locate the applicable disks is to search for the cluster name, as the cluster name is prepended to all relevant resources (for example, <cluster-name>-worker-pool-1-9d40-8rcx9_OSDisk and <cluster-name>-cp-36298-7gqb9_OSDisk).

  4. On the disk Overview page, select the Properties tab and scroll down to view the Encryption section. Ensure that the Encryption type shows Platform-managed key.

  5. Scroll down to view the Properties tab and check that the Encryption section shows Customer-managed key for Encryption type.

  6. Repeat steps 4 and 5 for each disk in your cluster.

Disable Disk Encryption on an Active Cluster

Prerequisites

  • An Azure user account with access to view disks in your resource group where the cluster resources are created (for example, Reader role).

Disable Disk Encryption

Use the following steps to disable disk encryption on an active cluster by modifying an existing cluster profile. The process to disable disk encryption is the same regardless of the encryption method used.

warning

Performing these steps will cause a full cluster repave.

  1. Log in to Palette.

  2. Ensure you are in the correct project scope.

  3. From the left main Menu, select Profiles. Locate and select the cluster profile to edit.

  4. Expand the version drop-down menu next to the cluster profile name, and select Create new version.

  5. Fill the Version field with a new version number.

  6. Click Confirm.

  7. Select the Kubernetes layer to view the Edit Pack drawer.

  8. In Values, click the </> button to show the YAML editor.

  1. On the right-hand side, click the Presets drop-down Menu, and select the Disable Encryption Using Customer-Managed Key option.

  2. Click Confirm updates.

  3. Click Save Changes.

  4. From the left Main Menu, select Clusters.

  5. Find the cluster that you want to update and click on it.

  6. Click the Profile tab.

  7. Click the version drop-down Menu in Infrastructure Layers and select the version that has disk encryption disabled.

  8. Click Review & Save, then click Review changes in Editor in the Changes Summary box.

  9. Review the changes and click Update.

Your cluster will now update and a full cluster repave will occur. Wait until the update has completed before confirming that disk encryption is disabled.

Validate

Follow these steps to validate the disablement of customer-managed key encryption on your Azure VM disks.

  1. Log in to the Azure Portal.

  2. Use the search bar to locate and select the Disks resource.

  3. Locate and select a disk in your cluster using the search filters provided. One way to locate the applicable disks is to search for the cluster name, as the cluster name is prepended to all relevant resources (for example, <cluster-name>-worker-pool-1-9d40-8rcx9_OSDisk and <cluster-name>-cp-36298-7gqb9_OSDisk).

  4. On the disk Overview page, select the Properties tab and scroll down to view the Encryption section. Ensure that the Encryption type shows Platform-managed key.

  5. Scroll down to view the Properties tab and check that the Encryption section shows Customer-managed key for Encryption type.

  6. Repeat steps 4 and 5 for each disk in your cluster.

Resources