Azure Storage and Disk Encryption Deep Dive
Vložit
- čas přidán 23. 07. 2024
- In this video I dive into the encryption options for Azure Storage and disks in Azure including customer managed key, disk encryption sets, encryption scope, infrastructure encryption, host-based encryption and more!
00:00 Introduction
00:10 John talking gibberish
00:30 Azure Storage account encryption
02:25 How data is encrypted
04:20 Customer managed key
07:40 Double encryption
10:50 Encryption scopes
15:25 Disk introduction
16:38 Default disk encryption
17:25 CMK with disk encryption sets
21:28 Azure Disk Encryption inside the OS
25:30 ADE and DES don't mix
26:55 Host-based encryption
33:00 Key rotation
33:43 Close - Věda a technologie
Your videos are some of the best tech videos I've ever seen (and I've been a professional dev for 10 years), keep up the great work! It's also remarkable you never say "um" or "uh" or repeat yourself, concise and to the point
That’s very kind. Pretty sure I do “um” sometimes :)
Thank you so much for this insightful video. The topics were explained thoroughly and in detail, which helped to resolve many of the questions I had. Your clear presentation has greatly enhanced my understanding on this cluttered topic ..
Awesome coverage of encryption of storage John! Thanks! Cleared up a few confusions! Salut!
This is really nice and professionally explained . I ve been digging on encryption and found this very useful and through .
Again, your presentation is so valuable. Thx John.
I appreciate that!
This is priceless content. Thank you for creating this!
Great content.. I'm pretty new with all Azure stuff and couldn't understand a lot of things from just reading it.. This is it!
Very helpful and descriptive, just the right way to understand it. And not just this topic, all of your videos are awesome :)
Keep rocking!
I am back to this video after 3 weeks again! Gem of content! Wanted to check the difference between Disk Encryption Set (DES) vs ADE .. and voila John has already explained this. Legend! Basically, I am trying to import into Terraform an Azure Windows VM created from VHD. Unfortunately, the azurerm_windows_virtual_machine resource doesn't allow importing a VM resource with existing attached managed os disk. We have to use the legacy azurerm_virtual_machine resource but then this doesn't support DES . So have to fallback to using ADE using extensions for this scenario . Cheers John!
This is some really high quality content! It has been hard to find out WHY we need a DES instead of just connecting to the key vault. It kind of makes sense now to have that middle layer between the disks.
Well done John! It helped clarify some ambiguity around storage encryption,Thank you!
Very welcome!
Awesome! your videos are the best of the best :)
Only video which has clear the doubt between ADE & SSE
Thanks a lot, very useful video and very well explained!
Nice video (like always) John!
Thank you!
I'm really a fan of your T-shirts, John, they're the best!
You are the best ! Thanks for this great content!! Subscribed!
Thanks for the sub!
enjoying this video for today learning, thanks a lot!
Happy to hear that!
Great Video!
Great Video john !
very high quality presentation
Thank you
Thank you for your great videos. Did my az-104 today and passed. Your videos really helped. Have 303 and 304 planed for the next weeks
Congrats! Nice job.
Very good content!!
Thanks for sharing this
Awesome John!
great once again
Thank you
Hi John. Thanks for the excellent explanation. May I ask something that's been on my head for a long time? I couldn't find documents on it.
Under the BYOK approach, I understand that the DEK (Data encryption keys) are fully managed my Azure. I understand that they are automatically rotated by Azure. How often are they rotated? (I understand there is not a single DEK, but multiple of them. Therefore each one with different life cycle and rotation).
Thanks a lot!!!
Excellent job!!
Thank you!
Great stuff, again :)
Thanks
Great Video John :)
Thanks!
Brilliant, many thanks.
Glad you enjoyed it
thanks, john. just recently cleared my az 900. your videos are so underrated. should have been more views and followers. wondering what do you recommend should I go for az 104 or should I get any paid course to prepare for it. and also how much study is required to pass az104.
Congrats. Amount of study varies by person so don’t really have recommendation there, sorry.
Hi John!
Many thanks as always for your videos. By far, the best Azure training materials on the Internet!
This is the first time that I write a comment, since I would have a doubt about the DEKs and KEKs.
Surfing the Microsoft documentation, I have always read that the DEK is always present and is Microsoft-managed, while the KEK can be added and can be either customer-managed or customer-provided. Which is a little bit different from what you have said, that is the KEK is always present and can be Microsoft-mananged, customer-managed or customer-provided.
Am I completely wrong or is there a typo in your video?
Many thanks again John!
No kek is always present. It’s just whether the dek is Microsoft managed or customer. You always have to protect the dek and all that changes is where the kek is.
@@NTFAQGuy Many thanks John :)
Thank you, Savill. I was wondering how the relationship between KEK and DEK works. Azure uses the KEK to encrypt the DEK and as a result of this encryption (the hash), I use that hash to finally encrypt the data? (symmetrically)
I did discuss that in the video. Hope it helps
Great explanation John as ever. Does "encryption at host" mitigate someone downloading a data VHD from the Azure subscription and attaching on another VM to extract the data? ADE mitigates against this as you will need the key as well to extract the data?
No
Really interesting John. Do you think a move to disk encryption sets and host based encryption will also see a move to Gen2 VM's?
I think over time especially when all vm sizes are supported and gen2 already has some features gen1 does not. Definitely removing ADE removes a block to gen2
Great video! I am confused with key rotation. For a situation where a container has a scoped key with customer-managed key, set to automation rotation, does existing blobs stored with the older key version need to be re-encrypted with the new key version? I understand the auto rotation will pick up the new key version for any new blobs being written. I am just wondering about existing/older blobs.
Blobs are not actually encrypted with the key as I talked about in the video. Existing are also covered by the rotation
@@NTFAQGuy Excellent. Thank you for the fast reply! That detail went past me completely. Now I understand.
Excellent Video, I do have a question, still nobody could answer that: How can I Encrypt MS Stream videos? I fond that these videos are kept in its own service on top of Azure. Can I encrypt any way. My customer needs to encrypt it.
i don't know anything about that service, sorry. I would research its security options. It likely is encrypted anyway and maybe has a CMK option. Its documentation would tell you.
@john - why would you not do double encryption then? I assume there is no extra charge so should that not just be the default setup?
regulatory reasons or just want to be extra sure in case one level was compromised. Encryption has some performance impact so generally you will do it if you need it but not otherwise but either way its not really anything significant.
Hello John, thanks for another great video. I was under the impression that another benefit of ADE would be preventing someone who'd compromised a privileged Azure account from being able to exfiltrate a disk image and read the contents. Is my understanding of that incorrect? Would the replacement technologies you've mentioned here(Disk Encryption Sets, Host Side Encryption) supplement that element of security? Infrastructure encryption protects me from an Azure employee, or someone who'd breached the physical datacenter, from reading my data but it doesn't prevent an authorized user to that disk from misusing it.
If you exfiltrated the azure account then you have same access to the key vault as with des. I don’t see it as different. I could be missing something.
@@NTFAQGuy In an enterprise setting, it wouldn't be unusual for someone to have contributor rights to the RG that contains the OS disk, but not have any permissions to the KeyVault. If their account were compromised and ADE was NOT implemented, the attacker would be able to download the disk(via Disk Export in Portal or programmatically) and read it's contents. If ADE is implemented, and the compromised user doesn't have GET permissions to the KeyVault, the disk can be downloaded but it's contents are encrypted via BitLocker and useless. In fact, because the KeyVault setup for disk encryption isn't handled using an access policy, no one needs to have permissions to that KeyVault(you can create one if/when someone does). As long as the KeyVault is in the same region and subscription, and has the Disk Encryption toggle, it can be used for ADE. You might even have someone in a _Support role that does have management plane access to Azure, and disks, but shouldn't have permissions to read the contents of those disks, ADE would likely be the correct tool in that circumstance as well.
@@DeusWolf I’m with you now, yes, makes sense. Would have to really consider though if the account was compromised could attacked them use extensions etc to get at the data in place. Things like restricting network etc may be key for exfiltration.
@@DeusWolf Valid point in favor of ADE. For the support personnel, maybe have a custom role that restricts the export of VHD?
This is encryption at storage or disk level. In case of multi tenancy architecture- If there is a need for application level or Database encryption- How to achieve it- can it be tenant id specific - assuming its 1 physical DB
PaaS Databases use their own encryption technologies. Likewise an app typically would not rely on storage alone if multi-tenant. Different options depending on exact technology but you would not rely on the storage account if shared files.
Very good video! The floppy tale was told with such a straight face, too! Nice t-shirt; do you have any for sale? :)
I don’t remember where I got that shirt. I have a few t shirts in the CZcams store for channel where all profit goes to cure childhood cancer if any of those are interesting :)
@@NTFAQGuy , I was sort of kidding about the shirt, the subject being about the floppy diskette, but I would love to contribute to the childhood cancer cause.. do you have a URL you can share where I can buy a shirt to help? I'm not familiar with the youtube store. Thanks!
@@robannmateja5000 haha, got you. johns-t-shirts-store.creator-spring.com/ is the little t-shirt store. Any support for the charity would be great. Take care.
@@NTFAQGuy , awesome... I just ordered a few!
@@robannmateja5000 Thank you for supporting cure childhood cancer!
Am I right in saying you can't do file level restores with an encrypted disk? Would you have to restore the entire disk and attach it to a vm?
There are different ways to backup a VM, inside and outside. That will impact what and how you can restore.
@@NTFAQGuy Yes, sorry I should have said using Azure Backup.
@@tilikumtim5562 So if you use ADE then yes there are limits to what backup can do because its encrypted inside. If its disk level (not ADE) then that does not apply.
@@NTFAQGuy Thanks, appreciate the reply.
How did you learn azure so we'll?
Just time.
Jooohnnn how the hell do you know all this information !!!! :)
Lol
I am too young to understand floopy disks :(
Booooooo show off :)
Patreon?
No. This site is just a hobby. Don't want to make any money from it. Why I have all adverts turned off. 🤙
Great Video John :)
Thanks!