Disk Encryption
Azure disk encryption is facilitated through VM extensions:
Microsoft.Azure.Security.AzureDiskEncryption
encrypts Windows volumes using Bitlocker.Microsoft.Azure.Security.AzureDiskEncryptionForLinux
encrypts Linux volumes using `dm-crypt`.
The extensions both obtain the specified KEK from a key vault, then create a new secret (the Wrapped BEK) that must be decrypted with the KEK in order to obtain the passphrase for the volume. This additional layer of wrapping ensures that the key cannot be easily compromised in transit. To identify which keys are provisioned for which volumes the agent will set the following tags on each secret:
MachineName
containing the name of the VM.DiskEncryptionKeyEncryptionUrl
will contain the complete URI of the KEK specified during provisioning (KeyEncryptionKeyURL
in the extension settings).DiskEncryptionKeyFileName
contains the name of the key file on the BEK disk (see below).DiskEncryptionKeyEncryptionAlgorithm
will contain the encryption algorithm used to encrypt the passphrase (KeyEncryptionAlgorithm
in the extension settings).
Once disk encryption has been enabled on a VM an additional disk containing the keys will be attached to the volume at boot time. For Windows systems this will assume the first available drive letter (D:
or later). On Linux systems it'll be mounted at /mnt/azure_bek_disk
.
Recovering encrypted disks from a different machine
The steps for accessing the contents of an encrypted container are the same as with ordinary dm-crypt containers. Encrypting the passphrase with a KEK means that we must also derive the BEK:
- Find the name and version of the KEK for the disk you're recovering.
- Perform an
unwrapKey
operation against the hosting key vault. a.alg
should always be"RSA-OAEP"
for Azure-created disk encryption keys. b.value
should be the value of the disk's secrets. - Take the generated value and try to base64 decode it. To avoid leaking secrets, do this offline. To do this with Python:
import base64; base64.urlsafe_b64decode(b"<the result>")
. - If you see an
binascii.Error
exception about padding, append an equals sign (=
) to the result and retry -- it seems the values are incorrectly formatted. The amount of padding required varies between one and two characters. - Once you have a result, continue to open the volume with dm-crypt or BitLocker recovery processes.
Children