1
00:00:01,040 --> 00:00:02,120
In this demonstration,

2
00:00:02,120 --> 00:00:04,830
we're going to work entirely in Azure. We'll learn how to use

3
00:00:04,830 --> 00:00:09,150
Azure Disk Encryption to manage BitLocker Drive Encryption in

4
00:00:09,150 --> 00:00:14,040
the cloud rather than on‑premises, which is what we did in the previous demo.

5
00:00:14,040 --> 00:00:15,740
I'm signed into the Azure portal.

6
00:00:15,740 --> 00:00:19,240
It doesn't matter which machine I'm on. I'm on my local domain

7
00:00:19,240 --> 00:00:23,340
controller, but as I said, it doesn't matter a bit. There's a few Azure

8
00:00:23,340 --> 00:00:26,440
resources that we need to understand a bit about here.

9
00:00:26,440 --> 00:00:28,740
Chiefly, we're going to start with Key Vault.

10
00:00:28,740 --> 00:00:32,480
This is the main Azure resource for storing your secrets.

11
00:00:32,480 --> 00:00:34,640
There's three types of secrets.

12
00:00:34,640 --> 00:00:37,020
There's Keys, which are encryption keys, and this is

13
00:00:37,020 --> 00:00:40,840
specifically what we want for our BitLocker use.

14
00:00:40,840 --> 00:00:44,720
There's also Secrets, and this is just secure string data. It could be a

15
00:00:44,720 --> 00:00:48,380
password or a connection string or something like that. And then we have

16
00:00:48,380 --> 00:00:51,490
Certificates. These are TLS SSL certificates,

17
00:00:51,490 --> 00:00:56,240
identity certificates, whatever. Those are the three types of artifacts.

18
00:00:56,240 --> 00:01:01,540
Now Key Vault has been undergoing a C change with regard to authorization.

19
00:01:01,540 --> 00:01:05,800
Notice that the permission model here can use either the access policy or

20
00:01:05,800 --> 00:01:08,170
Azure RBAC. I'm not going to get into the weeds here.

21
00:01:08,170 --> 00:01:11,610
We need to definitely understand Key Vault in great depth if you

22
00:01:11,610 --> 00:01:15,670
want to take AZ‑500, the Azure Security Engineer certification

23
00:01:15,670 --> 00:01:18,030
exam. I don't think it's a concern here.

24
00:01:18,030 --> 00:01:21,720
The main thing that we need to do is make sure that our Access

25
00:01:21,720 --> 00:01:25,780
policies blade for our key vault has this option here turned on,

26
00:01:25,780 --> 00:01:30,120
Azure Disk Encryption for volume encryption. And that's going to

27
00:01:30,120 --> 00:01:36,540
allow your disk encryption set to store a BitLocker key here in the

28
00:01:36,540 --> 00:01:38,940
key store of the given key vault.

29
00:01:38,940 --> 00:01:45,140
So next, let's create a disk encryption set, or a DES as I sometimes call it.

30
00:01:45,140 --> 00:01:48,900
We'll click Create here in the portal, and I'm going to put it in my

31
00:01:48,900 --> 00:01:56,910
az801‑rg, and I'm going to call this az801‑des. Note that this is

32
00:01:56,910 --> 00:02:01,620
region‑bound, and the Encryption type can use, let's see, Encryption

33
00:02:01,620 --> 00:02:06,100
at‑rest with a customer‑managed key as the default, Double encryption

34
00:02:06,100 --> 00:02:08,570
using both platform and customer keys.

35
00:02:08,570 --> 00:02:11,740
I'll just stay with the customer‑managed key.

36
00:02:11,740 --> 00:02:12,270
And again,

37
00:02:12,270 --> 00:02:15,480
one of the nice value props of using Key Vault is native

38
00:02:15,480 --> 00:02:17,680
integration with other Azure services.

39
00:02:17,680 --> 00:02:22,790
So, we can easily just select my key vault, and then we can

40
00:02:22,790 --> 00:02:26,040
create or use an existing encryption key.

41
00:02:26,040 --> 00:02:31,210
I'm going to call this az801‑des‑key. I'll leave

42
00:02:31,210 --> 00:02:33,520
this at all the defaults right now.

43
00:02:33,520 --> 00:02:34,940
That's fine.

44
00:02:34,940 --> 00:02:37,400
And that's all we need for that.

45
00:02:37,400 --> 00:02:38,470
So as I explained,

46
00:02:38,470 --> 00:02:41,920
a disk encryption set is simply a channel, an

47
00:02:41,920 --> 00:02:47,340
authenticated channel, that allows Azure to fetch an

48
00:02:47,340 --> 00:02:50,940
encryption key securely from your key vault.

49
00:02:50,940 --> 00:02:54,600
And you'll see next when we enable Azure Disk Encryption on an Azure

50
00:02:54,600 --> 00:02:59,350
virtual machine that we will, again, use that DES, that disk encryption

51
00:02:59,350 --> 00:03:02,000
set, in order to complete that configuration.

52
00:03:02,000 --> 00:03:05,640
So speaking of which, let's head on over to Virtual machines.

53
00:03:05,640 --> 00:03:09,640
I have a Windows server 2022 VM called win1.

54
00:03:09,640 --> 00:03:13,910
Now note that configuring Azure Disk Encryption requires that the VM is

55
00:03:13,910 --> 00:03:19,550
running. We saw that on‑prem that the BitLocker drive encryption wizard

56
00:03:19,550 --> 00:03:21,610
does its work while the machine is up.

57
00:03:21,610 --> 00:03:25,430
Same thing, if your VM is stopped and deallocated, you won't be

58
00:03:25,430 --> 00:03:29,340
able to turn on or use Azure Disk Encryption.

59
00:03:29,340 --> 00:03:34,170
Also again, I want to repeat that Azure Disk Encryption leaves the disk

60
00:03:34,170 --> 00:03:37,180
encrypted If we do an export. Let me explain what I mean.

61
00:03:37,180 --> 00:03:39,900
If I go here in the virtual machine properties, first

62
00:03:39,900 --> 00:03:41,740
let me make sure that it's running.

63
00:03:41,740 --> 00:03:42,940
Yes, it is.

64
00:03:42,940 --> 00:03:47,980
If I go to Disks, we can see that I have one and only one OS disk, and

65
00:03:47,980 --> 00:03:51,350
then I have a data disk as well on this virtual machine. That's fine.

66
00:03:51,350 --> 00:03:54,240
We can use BitLocker on both of them.

67
00:03:54,240 --> 00:03:57,780
If I were to want a copy of this C drive,

68
00:03:57,780 --> 00:04:02,690
I could do a disk export in which Azure creates what's called a shared access

69
00:04:02,690 --> 00:04:07,520
signature, or SAS, URL that expires after this time out here.

70
00:04:07,520 --> 00:04:11,470
Now, that would mean that if we applied BitLocker, if we

71
00:04:11,470 --> 00:04:14,650
applied Azure Disk Encryption, we wouldn't be able to use the

72
00:04:14,650 --> 00:04:17,240
disk unless it was first unlocked.

73
00:04:17,240 --> 00:04:21,150
So yes, this is BitLocker. It is whole volume,

74
00:04:21,150 --> 00:04:27,460
whole disk encryption that travels with that underlying VHD, or virtual hard

75
00:04:27,460 --> 00:04:34,380
disk. Now, sometimes confused with ADE, there's also a related VM storage

76
00:04:34,380 --> 00:04:39,600
encryption technology in Azure called Storage Service Encryption, or SSE.

77
00:04:39,600 --> 00:04:45,290
And this is simply Microsoft's attestation that your VHDs are encrypted at

78
00:04:45,290 --> 00:04:48,040
rest in the Azure data center.

79
00:04:48,040 --> 00:04:52,720
So if you do not use Azure Disk Encryption, but do use this, in

80
00:04:52,720 --> 00:04:55,300
fact, you have to use Storage Service Encryption.

81
00:04:55,300 --> 00:04:59,550
Really, the only question is whether you're going to let Microsoft manage

82
00:04:59,550 --> 00:05:03,240
the encryption key or you're going to manage it yourself.

83
00:05:03,240 --> 00:05:08,250
But as I was saying, if you do not have ADE turned on and you did an export,

84
00:05:08,250 --> 00:05:10,540
those disks would be unencrypted.

85
00:05:10,540 --> 00:05:14,760
This option here, the Storage Service Encryption, is only when the

86
00:05:14,760 --> 00:05:19,070
VHD is at rest, that is when the virtual machine is stopped and

87
00:05:19,070 --> 00:05:22,740
deallocated in the Azure virtual machines.

88
00:05:22,740 --> 00:05:23,280
All right,

89
00:05:23,280 --> 00:05:27,750
so let's go back to the Disks blade. And to get to our Azure

90
00:05:27,750 --> 00:05:32,160
Disk Encryption option, we'll go to Additional settings, and we

91
00:05:32,160 --> 00:05:36,230
want what's called Encryption settings right down here. We

92
00:05:36,230 --> 00:05:42,310
specify the scope of encryption, which is either OS disk or OS and data disks.

93
00:05:42,310 --> 00:05:43,390
I'm going to do both.

94
00:05:43,390 --> 00:05:46,940
And then as I promised you, we have our Azure Key Vault.

95
00:05:46,940 --> 00:05:50,690
Now you might be wondering, Tim, well, what about this disk encryption

96
00:05:50,690 --> 00:05:53,820
set that you just were talking about and you just showed a moment ago?

97
00:05:53,820 --> 00:05:57,710
Hold on. I'm going to circle back to that, but let me finish my

98
00:05:57,710 --> 00:06:00,230
discussion here with Azure Disk Encryption.

99
00:06:00,230 --> 00:06:05,070
We can select our key vault, choose our key. And again,

100
00:06:05,070 --> 00:06:07,790
we're choosing a specific key here, aren't we?

101
00:06:07,790 --> 00:06:11,530
And then in Key Vault, your keys can actually be versioned

102
00:06:11,530 --> 00:06:16,190
and changed. Key Vault creates a hash for each one, and

103
00:06:16,190 --> 00:06:17,810
that's literally all there is to it.

104
00:06:17,810 --> 00:06:22,330
We click Save, and we're good to go. Now as it turns out, the disk

105
00:06:22,330 --> 00:06:27,240
encryption set is used with your at‑rest disk encryption.

106
00:06:27,240 --> 00:06:28,890
So if I come back to win1,

107
00:06:28,890 --> 00:06:34,100
let me temporarily, you know, dump my changes, and let me quickly stop and

108
00:06:34,100 --> 00:06:39,040
deallocate this virtual machine. That will detach the disks.

109
00:06:39,040 --> 00:06:42,660
I want to go back to that Encryption blade so I can formally

110
00:06:42,660 --> 00:06:46,320
show you where the disk encryption set fits in.

111
00:06:46,320 --> 00:06:48,980
Okay, successfully stopped the virtual machine.

112
00:06:48,980 --> 00:06:54,530
So let's go back to Disks, and let me choose that OsDisk now. And this time,

113
00:06:54,530 --> 00:06:59,910
let me go to Encryption. By default, Microsoft takes care of the server‑side

114
00:06:59,910 --> 00:07:03,320
encryption when the VHDs are in the data center.

115
00:07:03,320 --> 00:07:08,410
However, note that we can do an encryption at rest with the customer‑managed key.

116
00:07:08,410 --> 00:07:13,360
It is this case in which you choose your disk encryption set, and that would

117
00:07:13,360 --> 00:07:20,940
be this at rest when the VHD is not in use in the Azure data center. Notice

118
00:07:20,940 --> 00:07:30,000
that I can select my az801‑des disk encryption set, click Save, and we're good to go.