Azure disk encryption is facilitated through VM extensions:
Microsoft.Azure.Security.AzureDiskEncryptionencrypts Windows volumes using Bitlocker.
Microsoft.Azure.Security.AzureDiskEncryptionForLinuxencrypts Linux volumes using `dm-crypt`.
The extensions both obtain the specified KEK from a key vault, then create a new secret (the Wrapped BEK) that must be decrypted with the KEK in order to obtain the passphrase for the volume. This additional layer of wrapping ensures that the key cannot be easily compromised in transit. To identify which keys are provisioned for which volumes the agent will set the following tags on each secret:
MachineNamecontaining the name of the VM.
DiskEncryptionKeyEncryptionUrlwill contain the complete URI of the KEK specified during provisioning (
KeyEncryptionKeyURLin the extension settings).
DiskEncryptionKeyFileNamecontains the name of the key file on the BEK disk (see below).
DiskEncryptionKeyEncryptionAlgorithmwill contain the encryption algorithm used to encrypt the passphrase (
KeyEncryptionAlgorithmin the extension settings).
Once disk encryption has been enabled on a VM an additional disk containing the keys will be attached to the volume at boot time. For Windows systems this will assume the first available drive letter (
D: or later). On Linux systems it'll be mounted at
Recovering encrypted disks from a different machine
The steps for accessing the contents of an encrypted container are the same as with ordinary dm-crypt containers. Encrypting the passphrase with a KEK means that we must also derive the BEK:
- Find the name and version of the KEK for the disk you're recovering.
- Perform an
unwrapKeyoperation against the hosting key vault. a.
algshould always be
"RSA-OAEP"for Azure-created disk encryption keys. b.
valueshould be the value of the disk's secrets.
- Take the generated value and try to base64 decode it. To avoid leaking secrets, do this offline. To do this with Python:
import base64; base64.urlsafe_b64decode(b"<the result>").
- If you see an
binascii.Errorexception about padding, append an equals sign (
=) to the result and retry -- it seems the values are incorrectly formatted. The amount of padding required varies between one and two characters.
- Once you have a result, continue to open the volume with dm-crypt or BitLocker recovery processes.