WEBVTT

0:00:02.080000 --> 0:00:07.860000
 In this video, we're going to take
 a look at Azure Disk Encryption.

0:00:07.860000 --> 0:00:11.560000
 We're really going to cover
 two primary topics.

0:00:11.560000 --> 0:00:15.600000
 We're going to take a look at what disk
 encryption is in the big picture,

0:00:15.600000 --> 0:00:21.640000
 and I'm going to go through a demonstration
 of how you can encrypt an

0:00:21.640000 --> 0:00:24.440000
 existing virtual hard drive.

0:00:24.440000 --> 0:00:28.620000
 Now, in terms of disk encryption, the first
 thing that you want to understand

0:00:28.620000 --> 0:00:32.420000
 is why you would use
 disk encryption.

0:00:32.420000 --> 0:00:39.960000
 Big picture, disk encryption is about,
 well, encrypting your VHDs at rest.

0:00:39.960000 --> 0:00:45.400000
 This is about protecting your assets
 in the case of some physical breach,

0:00:45.400000 --> 0:00:48.560000
 where somebody could actually
 get a hold of your VHD files.

0:00:48.560000 --> 0:00:53.720000
 Now, that's highly unlikely, but this
 does give you a layer of security,

0:00:53.720000 --> 0:00:55.240000
 a layer of protection
 to deal with that.

0:00:55.240000 --> 0:00:58.420000
 Let's talk about some of the scenarios,
 some of the things that you can

0:00:58.420000 --> 0:01:00.340000
 do with disk encryption.

0:01:00.340000 --> 0:01:05.360000
 First of all, you can encrypt both
 new and existing Azure VMs.

0:01:05.360000 --> 0:01:09.440000
 In other words, if I already have an
 Azure VM, I can encrypt that or I

0:01:09.440000 --> 0:01:13.700000
 can encrypt it during the
 provisioning process.

0:01:13.700000 --> 0:01:18.120000
 I can also use existing
 encrypted VHDs.

0:01:18.120000 --> 0:01:23.260000
 If I am, for example, migrating an on-prem,
 highly secure on-prem environment

0:01:23.260000 --> 0:01:28.260000
 where I'm already using BitLocker,
 for example, to encrypt my VHDs, I

0:01:28.260000 --> 0:01:32.080000
 can do that into Azure as well.

0:01:32.080000 --> 0:01:36.580000
 I can encrypt entire Windows-based
 virtual machine scale sets.

0:01:36.580000 --> 0:01:42.200000
 For Linux virtual machines, I can encrypt
 the data drives, excuse me,

0:01:42.200000 --> 0:01:45.220000
 for Linux virtual machine scale sets,
 standard Linux virtual machines

0:01:45.220000 --> 0:01:51.660000
 are fine. I can disable encryption
 on Windows VMs altogether.

0:01:51.660000 --> 0:01:56.260000
 I can disable encryption on the
 data drives for Linux VMs.

0:01:56.260000 --> 0:02:02.880000
 I can disable encryption on virtual machine
 scale sets, and I can disable

0:02:02.880000 --> 0:02:08.120000
 encryption on the data drives for
 Linux virtual machine scale sets.

0:02:08.120000 --> 0:02:13.700000
 I can also modify encryption settings,
 and I can back up and also restore

0:02:13.700000 --> 0:02:19.560000
 encrypted virtual machine scale
 sets, or virtual machines.

0:02:19.560000 --> 0:02:26.300000
 Now, what are some of the big picture
 things with Azure disk encryption?

0:02:26.300000 --> 0:02:31.340000
 First of all, you want to understand
 your prerequisites.

0:02:31.340000 --> 0:02:35.580000
 You have to use a supported OS, which
 are going to be any of the Windows

0:02:35.580000 --> 0:02:40.080000
 OS's that are available within
 Azure out of the marketplace.

0:02:40.080000 --> 0:02:46.460000
 You also need to make sure that it is a
 supported Linux OS, Linux distribution,

0:02:46.460000 --> 0:02:48.080000
 of course, of an OS.

0:02:48.080000 --> 0:02:53.760000
 Also, networking, your virtual machine
 needs to be able to connect to

0:02:53.760000 --> 0:02:55.520000
 endpoints within Azure.

0:02:55.520000 --> 0:02:59.800000
 Now, it's likely that's going to be the
 case, but you need to verify that,

0:02:59.800000 --> 0:03:02.540000
 and this, of course,
 is well documented.

0:03:02.540000 --> 0:03:05.620000
 You need to be able to connect
 as you can see to Azure AD.

0:03:05.620000 --> 0:03:09.320000
 You need to be able to connect to the
 key vault when I say you, your virtual

0:03:09.320000 --> 0:03:12.840000
 machine or virtual machine scale set
 needs to be able to connect to a

0:03:12.840000 --> 0:03:17.640000
 key vault, because that is where the
 encryption key is actually stored.

0:03:17.640000 --> 0:03:23.940000
 There is also an extension that makes
 the disk encryption possible, that

0:03:23.940000 --> 0:03:28.160000
 makes it coordinate with the Azure environment,
 and your virtual machine

0:03:28.160000 --> 0:03:31.800000
 needs to be able to access
 that extension.

0:03:31.800000 --> 0:03:34.980000
 It should be the case that your virtual
 machine should be able to do all

0:03:34.980000 --> 0:03:40.160000
 of that, but again, you just need to
 be aware of that and double-check.

0:03:40.160000 --> 0:03:42.840000
 Also, Windows requirements.

0:03:42.840000 --> 0:03:46.640000
 If you have GPOs, you need to make sure
 that Windows is going to permit

0:03:46.640000 --> 0:03:50.420000
 BitLocker. Your GPOs are
 going to permit that.

0:03:50.420000 --> 0:03:54.780000
 On the Linux side, you have to make sure
 there's at least seven gigabytes

0:03:54.780000 --> 0:04:03.020000
 of RAM that you're using the VFAT allocation
 approach, and that your FS

0:04:03.020000 --> 0:04:08.720000
 tab configuration is correct for the
 disks that are going to be encrypted.

0:04:08.720000 --> 0:04:14.880000
 Now, all of this is documented at a detailed
 level within your docs.microsoft

0:04:14.880000 --> 0:04:20.300000
.com. Now, in addition to this,
 you need a key vault.

0:04:20.300000 --> 0:04:26.360000
 The key vault, if you're not familiar
 with it, is a secure storage component

0:04:26.360000 --> 0:04:28.380000
 or resource within Azure.

0:04:28.380000 --> 0:04:29.500000
 It has different tiers.

0:04:29.500000 --> 0:04:35.700000
 At the highest tier, you can actually
 use your dedicated HSM hardware

0:04:35.700000 --> 0:04:41.440000
 security module to handle the encryption
 and storage of encrypted data.

0:04:41.440000 --> 0:04:47.600000
 But in general, it is a highly encrypted,
 a highly-scored, and an audited

0:04:47.600000 --> 0:04:52.140000
 storage facility for very sensitive
 data, and since the encryption key

0:04:52.140000 --> 0:04:56.620000
 of your VHDs is very sensitive, it
 would be stored in the key vault.

0:04:56.620000 --> 0:05:00.740000
 And again, if you think about the purpose
 of encrypting the VHD, if somebody

0:05:00.740000 --> 0:05:08.520000
 gets your VHD file itself somehow,
 unless they can also get into a key

0:05:08.520000 --> 0:05:10.840000
 vault, which is separate, they're not
 going to be able to do anything

0:05:10.840000 --> 0:05:15.260000
 with it. Now, as far as key vault itself,
 there are some requirements.

0:05:15.260000 --> 0:05:19.060000
 First of all, it has to be in
 the same region as the VM.

0:05:19.060000 --> 0:05:22.280000
 And that's because Microsoft doesn't
 want the keys being transmitted,

0:05:22.280000 --> 0:05:25.720000
 frankly, any farther
 than they need to be.

0:05:25.720000 --> 0:05:30.140000
 There's also an advanced access policy
 that needs to be set, and I'm going

0:05:30.140000 --> 0:05:32.040000
 to show that to you.

0:05:32.040000 --> 0:05:36.660000
 Finally, you may want to
 use a key encryption key.

0:05:36.660000 --> 0:05:41.020000
 The encryption key that is used for
 the actual disk encryption is going

0:05:41.020000 --> 0:05:43.680000
 to be a symmetric encryption key.

0:05:43.680000 --> 0:05:48.240000
 If you want to protect that with another
 layer of protection, then you

0:05:48.240000 --> 0:05:51.880000
 can use a key encryption key.

0:05:51.880000 --> 0:05:58.260000
 Now, as far as encrypting your
 VHDs, there are three options.

0:05:58.260000 --> 0:06:04.080000
 You can encrypt a VHD via PowerShell,
 you can encrypt a VHD via the CLI.

0:06:04.080000 --> 0:06:08.120000
 You can also encrypt a VHD
 via an ARM template.

0:06:08.120000 --> 0:06:14.080000
 Notice that you cannot currently use
 the portal to encrypt your VHDs to

0:06:14.080000 --> 0:06:14.860000
 encrypt your VMs.

0:06:14.860000 --> 0:06:18.240000
 Now, I say encrypt your VHD, here we're
 saying as your disk encryption

0:06:18.240000 --> 0:06:23.200000
 in VM. Obviously, if you're encrypting
 the storage for an Azure VM, you

0:06:23.200000 --> 0:06:25.800000
 are, in fact, encrypting a VHD.

0:06:25.800000 --> 0:06:31.040000
 So I use that possibly a bit more interchangeably
 than it should be used.

0:06:31.040000 --> 0:06:35.580000
 Now, what I would like to do is I would
 like to actually demonstrate the

0:06:35.580000 --> 0:06:39.540000
 process of encrypting
 your virtual machine.

0:06:39.540000 --> 0:06:42.420000
 I have a virtual machine
 and I have a key ball.

0:06:42.420000 --> 0:06:44.400000
 And I'm going to show you the key ball
 in some of the settings for that,

0:06:44.400000 --> 0:06:46.380000
 and I'll show you the virtual
 machine as well.

0:06:46.380000 --> 0:06:50.520000
 And then I'll go through the process
 of configuring both a key encryption

0:06:50.520000 --> 0:06:55.660000
 key and also encrypting
 the VHD itself.

0:06:55.660000 --> 0:06:58.260000
 Let's go ahead and take
 a look at this.

0:06:58.260000 --> 0:07:00.780000
 I'm going to start out.

0:07:00.780000 --> 0:07:03.540000
 I have a key vault.

0:07:03.540000 --> 0:07:04.880000
 I've created a key vault.

0:07:04.880000 --> 0:07:10.220000
 The specifics of the key vault
 are not all of that critical.

0:07:10.220000 --> 0:07:14.100000
 What is very critical
 is the access policy.

0:07:14.100000 --> 0:07:19.840000
 This is obviously many things important
 with key vault, but for our purposes

0:07:19.840000 --> 0:07:25.200000
 for the disk encryption, there is a
 setting under access policies that

0:07:25.200000 --> 0:07:31.360000
 you need to turn on in order to be able
 to use a key vault with disk encryption.

0:07:31.360000 --> 0:07:36.500000
 And that's found under the advanced
 access policies of the key vault.

0:07:36.500000 --> 0:07:39.320000
 And it is the last of
 those three options.

0:07:39.320000 --> 0:07:43.020000
 There's three options enable access to
 Azure virtual machines for deployment,

0:07:43.020000 --> 0:07:49.020000
 enable access to ARM for template deployment,
 and enable access to Azure

0:07:49.020000 --> 0:07:50.040000
 disk encryption.

0:07:50.040000 --> 0:07:54.020000
 Obviously, we're more worried about the
 last one, but given the fact that

0:07:54.020000 --> 0:07:57.620000
 I use this key vault for a number of
 things, I have all three of those

0:07:57.620000 --> 0:07:58.880000
 options turned on.

0:07:58.880000 --> 0:08:03.820000
 Now, I'm going to switch
 over to PowerShell.

0:08:03.820000 --> 0:08:10.900000
 Let's start out with this PowerShell
 script by going and just setting

0:08:10.900000 --> 0:08:13.320000
 a few variables first.

0:08:13.320000 --> 0:08:16.000000
 I've got some names
 named my key vault.

0:08:16.000000 --> 0:08:20.520000
 I've got the encryption key name that I
 want to use, the name of the resource

0:08:20.520000 --> 0:08:24.460000
 group. And then I retrieve data
 for the key vault itself.

0:08:24.460000 --> 0:08:28.080000
 I return the key vault, I return the
 resource idea, the key vault, and

0:08:28.080000 --> 0:08:36.040000
 also the disk encryption key of the
 URL, excuse me, of the key vault.

0:08:36.040000 --> 0:08:40.220000
 Now what I'm going to do is I'm going
 to go ahead and add a key vault

0:08:40.220000 --> 0:08:44.840000
 key. So I'm going to specify the vault
 name, the name of the key encryption

0:08:44.840000 --> 0:08:51.000000
 key that I want to use, which is right
 up there, disk encryption K, K.

0:08:51.000000 --> 0:08:55.400000
 And the destination put in software,
 and then I'm going to return the

0:08:55.400000 --> 0:09:04.960000
 URL of that key encryption key.

0:09:04.960000 --> 0:09:14.380000
 All right, now let's take a look that
 should have created a key for me.

0:09:14.380000 --> 0:09:16.920000
 And there we go.

0:09:16.920000 --> 0:09:22.540000
 There's my disk encryption key
 that was added to my key vault.

0:09:22.540000 --> 0:09:28.960000
 Next, what I'm going to do is pop over,
 and I'm going to rerun most of

0:09:28.960000 --> 0:09:31.200000
 what I'd run up here again.

0:09:31.200000 --> 0:09:38.660000
 Just make sure that
 I get this correct.

0:09:38.660000 --> 0:09:41.260000
 All right, so I've got
 just some variables.

0:09:41.260000 --> 0:09:44.960000
 And in the end I come down and retrieve
 once again the key encryption

0:09:44.960000 --> 0:09:53.020000
 key. This of course all is coming from
 docs.microsoft.com because not

0:09:53.020000 --> 0:09:55.800000
 that I couldn't have created all of
 this, but it was just a lot easier

0:09:55.800000 --> 0:09:57.960000
 to let Microsoft do it for me.

0:09:57.960000 --> 0:10:04.040000
 And finally, what I'm going to do now
 is I am going to encrypt the disk.

0:10:04.040000 --> 0:10:09.700000
 Now in order to encrypt the disk, I'm
 actually going to use a VM extension.

0:10:09.700000 --> 0:10:14.000000
 And this VM extension is, you can
 see the disk encryption extension.

0:10:14.000000 --> 0:10:21.240000
 That's why your VM has to have access
 to the storage location of the Azure

0:10:21.240000 --> 0:10:25.400000
 VM extensions. That shouldn't
 be any problem.

0:10:25.400000 --> 0:10:27.420000
 And we're going to go
 ahead and run that.

0:10:27.420000 --> 0:10:31.340000
 And this commandlet prepares the VM and
 enables encryption which may reboot

0:10:31.340000 --> 0:10:33.800000
 the machine and takes
 10 to 15 minutes.

0:10:33.800000 --> 0:10:38.640000
 I'm not going to make you wait for 10
 to 15 minutes for the end of this.

0:10:38.640000 --> 0:10:41.840000
 We're going to go ahead and carry forward
 because at the end it's just

0:10:41.840000 --> 0:10:44.680000
 going to tell you that the
 disk is in fact encrypted.

0:10:44.680000 --> 0:10:46.360000
 And that's not terribly exciting.

0:10:46.360000 --> 0:10:47.900000
 It's just the end of this process.


0:10:47.900000 --> 0:10:52.480000
 So rather than make you wait for that,
 let's go ahead and just finish

0:10:52.480000 --> 0:10:55.060000
 out the topic itself.

0:10:55.060000 --> 0:10:59.260000
 So what are some of
 our key takeaways?

0:10:59.260000 --> 0:11:04.480000
 First of all, consider your
 disk encryption options.

0:11:04.480000 --> 0:11:09.580000
 The storage. Now, didn't mention this
 before, so it's not just takeaways,

0:11:09.580000 --> 0:11:10.840000
 it's a little bit new.

0:11:10.840000 --> 0:11:15.640000
 There are differences in the way the
 disks are encrypted, whether you

0:11:15.640000 --> 0:11:21.300000
 are storing your disks in a storage
 account as unmanaged disks or if you

0:11:21.300000 --> 0:11:24.700000
 are storing them as primary resources
 as managed disks, which is generally

0:11:24.700000 --> 0:11:26.620000
 the recommendation.

0:11:26.620000 --> 0:11:31.180000
 The demonstration that I just completed
 is using managed disks.

0:11:31.180000 --> 0:11:35.140000
 With unmanaged disks, technically it's
 actually a little bit easier because

0:11:35.140000 --> 0:11:39.920000
 if you put your disks into a storage
 account, that storage account by

0:11:39.920000 --> 0:11:40.300000
 definition, you can see the data.

0:11:40.300000 --> 0:11:42.060000
 And then the definition
 is already encrypted.

0:11:42.060000 --> 0:11:45.880000
 Now you could add disk encryption on
 top of that, but that would just

0:11:45.880000 --> 0:11:49.400000
 be layering possibly more
 than you actually need.

0:11:49.400000 --> 0:11:55.400000
 Also, the OS disk is going to be encrypted
 depending on whether it is

0:11:55.400000 --> 0:12:03.260000
 a Windows VM or a Linux VM on, of
 course, different technologies.

0:12:03.260000 --> 0:12:07.280000
 For Windows, it's going to be BitLocker
 and for Linux, it's going to be

0:12:07.280000 --> 0:12:13.440000
 DM-Crypt. And of course, you have to
 have a Linux distro that will support

0:12:13.440000 --> 0:12:18.920000
 DM-Crypt. Now, in addition to that,
 you want to think about the managed

0:12:18.920000 --> 0:12:20.740000
 disk encryption.

0:12:20.740000 --> 0:12:25.580000
 What are the prerequisites, remember,
 in particular on the Windows side,

0:12:25.580000 --> 0:12:30.460000
 you need to make sure that you
 allow BitLocker within your OS.

0:12:30.460000 --> 0:12:36.400000
 And you also, on the Linux side, there's
 the FAT requirements as well

0:12:36.400000 --> 0:12:44.440000
 as additional FS-Tab settings that are
 required, all very well documented.

0:12:44.440000 --> 0:12:48.080000
 You also need to make sure that from
 a networking standpoint, that your

0:12:48.080000 --> 0:12:53.960000
 VM can get to all of the assets internal
 to Azure itself that are required.

0:12:53.960000 --> 0:12:57.420000
 And then also, think
 about the process.

0:12:57.420000 --> 0:12:58.420000
 What are you going to do?

0:12:58.420000 --> 0:13:02.200000
 You're going to set
 up a key vault.

0:13:02.200000 --> 0:13:06.100000
 You have the option of using
 a key encrypting key.

0:13:06.100000 --> 0:13:11.860000
 And then you are going to use that
 to encrypt a virtual machine.

0:13:11.860000 --> 0:13:14.860000
 The actual process of encrypting the
 virtual machine, even though there

0:13:14.860000 --> 0:13:18.160000
 were many lines that we saw in the demonstration,
 is really a single call

0:13:18.160000 --> 0:13:21.420000
 to encrypt the VHDs for
 a virtual machine.