1
00:00:01,040 --> 00:00:02,060
In this demonstration,

2
00:00:02,060 --> 00:00:05,170
we're going to continue the journey we began on troubleshooting

3
00:00:05,170 --> 00:00:07,900
Azure VMs starting in the previous module.

4
00:00:07,900 --> 00:00:11,840
So continuing to now, let's jump right back into the thick of things.

5
00:00:11,840 --> 00:00:12,630
As you can see,

6
00:00:12,630 --> 00:00:17,370
I was investigating my monitorvm virtual machine running in Azure. This is a

7
00:00:17,370 --> 00:00:21,640
Windows Server 2022 box that's in a work group configuration.

8
00:00:21,640 --> 00:00:26,110
Let's start by looking at disk encryption and just some of the things to

9
00:00:26,110 --> 00:00:30,490
keep in mind with that. Let's go over to Disks, for example, and we can see

10
00:00:30,490 --> 00:00:34,440
our one and only one OS or operating system disk.

11
00:00:34,440 --> 00:00:36,560
We have 0 data disks.

12
00:00:36,560 --> 00:00:41,150
Now let me ask you this, what determines what property of an Azure virtual

13
00:00:41,150 --> 00:00:45,520
machine determines how many data disks that VM can have in Azure,

14
00:00:45,520 --> 00:00:48,070
you know? It's actually the VM size.

15
00:00:48,070 --> 00:00:51,740
The VM size, if we jump over there for a second, in

16
00:00:51,740 --> 00:00:54,000
addition to the virtual hardware,

17
00:00:54,000 --> 00:00:58,290
the CPU and RAM, notice that there is a maximum number of data disks as well.

18
00:00:58,290 --> 00:01:01,810
Okay. So here we are, one and only one OS. This

19
00:01:01,810 --> 00:01:04,300
particular VM doesn't have any data disks.

20
00:01:04,300 --> 00:01:06,470
Now, there's two types of encryption.

21
00:01:06,470 --> 00:01:08,460
So when you're troubleshooting this, first of all,

22
00:01:08,460 --> 00:01:11,090
you need to know what kind of encryption are we talking

23
00:01:11,090 --> 00:01:15,390
about with the VM disks? Now here, if we look at this OS disk,

24
00:01:15,390 --> 00:01:19,440
it says Encryption SSE with PMK. What does that mean?

25
00:01:19,440 --> 00:01:23,660
SSE stands for shared service encryption, or server‑side

26
00:01:23,660 --> 00:01:27,000
encryption. It has a few acronym meanings.

27
00:01:27,000 --> 00:01:30,870
This is the at rest encryption that Microsoft provides in the Azure

28
00:01:30,870 --> 00:01:35,170
datacenter. PMK stands for platform‑managed key.

29
00:01:35,170 --> 00:01:38,480
Now, in troubleshooting, you might realize that due to compliance

30
00:01:38,480 --> 00:01:41,440
requirements, you have to have a customer‑managed key.

31
00:01:41,440 --> 00:01:44,590
How do you do that? Well, let's click into the OS disk,

32
00:01:44,590 --> 00:01:47,640
and here we come down to encryption.

33
00:01:47,640 --> 00:01:51,970
Remember I mentioned that one of the two disk encryption types, you have to

34
00:01:51,970 --> 00:01:55,650
have the VM stopped and deallocated in order to do it.

35
00:01:55,650 --> 00:01:57,870
That's what this is talking about here.

36
00:01:57,870 --> 00:02:01,640
So if we stop and deallocate this virtual machine,

37
00:02:01,640 --> 00:02:05,310
this drop‑down list becomes active, and we can change it to

38
00:02:05,310 --> 00:02:07,760
encryption at rest with a customer‑managed key.

39
00:02:07,760 --> 00:02:11,570
Let's see if I can show you this with my other virtual machine that is

40
00:02:11,570 --> 00:02:15,840
stopped and deallocated. This one, let's go over to Disks,

41
00:02:15,840 --> 00:02:17,430
go to the OS disk,

42
00:02:17,430 --> 00:02:22,520
let's go to Encryption, and this one I'm already using a customer‑managed key.

43
00:02:22,520 --> 00:02:25,650
But what I want you to see is that when you do a

44
00:02:25,650 --> 00:02:28,740
customer‑managed key for your Azure VMs,

45
00:02:28,740 --> 00:02:31,880
you need to create what's called a disk encryption set.

46
00:02:31,880 --> 00:02:36,040
So if I come up here and type disk encryption,

47
00:02:36,040 --> 00:02:41,730
a DES, or a disk encryption set, is an Azure resource that simply maps

48
00:02:41,730 --> 00:02:45,060
to an encryption key that's stored in your key vault.

49
00:02:45,060 --> 00:02:54,000
All right? And so the disk encryption set provides a way for you to apply RBAC permissions on that encryption key.