0

Whilst day dreaming at my desk this morning, something occurred to me and I have not been able to find an answer of yet. So I am hoping someone may shine some light for me or just have a good discussion about it.

Let me set the scene. Recently, I started to play around with disk encryption using the Azure Portal and the Key Vault service that they offer. It made a lot more sense than the older method using AD Applications. So I created my new keyvault in the resource group, created a key inside of this and set the cryptographic operations as I saw fit. I then put together a script, ran through the AzurePowerShell CLI and after a few minutes my disks on the VM (MS Server 2012r2) were encrypted. So I did this for the rest of my test environment just to check it really did work. No first time fluke here!

Then it occurred to me, when/if the key expires what happens next? Now obviously in the test environment I don't really care, I can pull everything down if that was to happen. However, as I talk to customers who have production environments that often ask about the security of machines running in Azure, I would like to know how easy it is to refresh these keys. Many people I speak to have set policies regarding key cycling, so do not want a key that won't expire for another 200 years. Their security would not entertain the idea for a second.

Does anyone know, what the best method of updating the keys is? My original thought which surely it can't be, was to un-encrypt the disk before expiry. And then re-run the script but with a brand new generated key to encrypt once more? This seems like such a long way of going about this, but maybe it is the only way?

Has anyone else had the same thought, or had to implement a key refresh using Azure Key Vault?

DGray94
  • 31
  • 5
  • These would likely be the same sort of "security" people that would think you need to recycle your laptop every 90 days because the TPM chip keys don't rotate. – Jim B Dec 06 '18 at 13:15
  • More than likey! However if they have those policies, you've just got to play the game and do what you can within them – DGray94 Dec 06 '18 at 14:11

1 Answers1

0

So, I had a chat with a couple of guys over at Azure regarding this.

It was agreed that, the best way to go about updating encrypted disks before their keys expire is the following:

  • Un-encrypt the disk using the key it was encrypted with (before it expires of course)
  • Import/Generate a new Key in the key vault
  • Re-run the encryption script, using the new key
  • Delete the key from the vault

It is a little longer of a process than I was hoping, but using Azure Powershell CLI it does speed things up in terms of actually un-encrypting and encrypting disks again.

DGray94
  • 31
  • 5
  • I'm surprised this is the answer. Why can't the new certificate be added, and the old one removed? Usually in systems like this, the key that actually encrypts the data is not the certificate. Instead, the certificate encrypts the key, and the encrypted key is stored with the data. This is roughly how BitLocker works, and that why a single volume can have a password, TPM, and recovery key: they each independently encrypt the actual key. Adding a new method just requires using on the existing methods to decrypt the key, and then encrypting with the new method. – longneck Dec 13 '18 at 18:03
  • I was hoping it would be a case of being able to use a script, that updates key X to key Z for example. It seems not, if the keys need recycling then you must generate/import the new key and follow the process same as setting up initially. – DGray94 Dec 14 '18 at 14:35