Azure Storage and Disk Encryption Deep Dive

Рет қаралды 30,107

Күн бұрын

Пікірлер: 91

@honeychook 11 ай бұрын

This is some really high quality content! It has been hard to find out WHY we need a DES instead of just connecting to the key vault. It kind of makes sense now to have that middle layer between the disks.

@joebrady9829 7 ай бұрын

Your videos are some of the best tech videos I've ever seen (and I've been a professional dev for 10 years), keep up the great work! It's also remarkable you never say "um" or "uh" or repeat yourself, concise and to the point

@NTFAQGuy 7 ай бұрын

That’s very kind. Pretty sure I do “um” sometimes :)

@anshulfreedom 2 жыл бұрын

Only video which has clear the doubt between ADE & SSE

@iamdedlok 3 жыл бұрын

Awesome coverage of encryption of storage John! Thanks! Cleared up a few confusions! Salut!

@AmitSingh-mr3cd 6 ай бұрын

Thank you so much for this insightful video. The topics were explained thoroughly and in detail, which helped to resolve many of the questions I had. Your clear presentation has greatly enhanced my understanding on this cluttered topic ..

@oliviermalfroidt6405 3 жыл бұрын

Again, your presentation is so valuable. Thx John.

@NTFAQGuy 3 жыл бұрын

I appreciate that!

@iamdedlok 3 жыл бұрын

I am back to this video after 3 weeks again! Gem of content! Wanted to check the difference between Disk Encryption Set (DES) vs ADE .. and voila John has already explained this. Legend! Basically, I am trying to import into Terraform an Azure Windows VM created from VHD. Unfortunately, the azurerm_windows_virtual_machine resource doesn't allow importing a VM resource with existing attached managed os disk. We have to use the legacy azurerm_virtual_machine resource but then this doesn't support DES . So have to fallback to using ADE using extensions for this scenario . Cheers John!

@ZlatkaMitrevska Жыл бұрын

Great content.. I'm pretty new with all Azure stuff and couldn't understand a lot of things from just reading it.. This is it! Very helpful and descriptive, just the right way to understand it. And not just this topic, all of your videos are awesome :) Keep rocking!

@PrashantSharma-ql4yb 2 жыл бұрын

This is priceless content. Thank you for creating this!

@randomguy-w8k 3 жыл бұрын

This is really nice and professionally explained . I ve been digging on encryption and found this very useful and through .

@idrisfl 3 жыл бұрын

Nice video (like always) John!

@NTFAQGuy 3 жыл бұрын

Thank you!

@sccfranb 2 жыл бұрын

I'm really a fan of your T-shirts, John, they're the best!

@joshuaeuceda4635 3 жыл бұрын

Well done John! It helped clarify some ambiguity around storage encryption,Thank you!

@NTFAQGuy 3 жыл бұрын

Very welcome!

@christianibiri 3 жыл бұрын

Awesome! your videos are the best of the best :)

@last-life 2 ай бұрын

You know what's cooler than double encryption - Triple encryption!

@sveinungchr 3 жыл бұрын

Thank you for your great videos. Did my az-104 today and passed. Your videos really helped. Have 303 and 304 planed for the next weeks

@NTFAQGuy 3 жыл бұрын

Congrats! Nice job.

@insights3005 3 жыл бұрын

very high quality presentation

@NTFAQGuy 3 жыл бұрын

Thank you

@pokmnhyu 3 жыл бұрын

Great Video john !

@giani.t 2 жыл бұрын

Thanks a lot, very useful video and very well explained!

@yulaw3289 7 ай бұрын

enjoying this video for today learning, thanks a lot!

@NTFAQGuy 7 ай бұрын

Happy to hear that!

@renatobertolaccini3242 3 жыл бұрын

Thank you, Savill. I was wondering how the relationship between KEK and DEK works. Azure uses the KEK to encrypt the DEK and as a result of this encryption (the hash), I use that hash to finally encrypt the data? (symmetrically)

@NTFAQGuy 3 жыл бұрын

I did discuss that in the video. Hope it helps

@fredpo620 Жыл бұрын

You are the best ! Thanks for this great content!! Subscribed!

@NTFAQGuy Жыл бұрын

Thanks for the sub!

@yasserparvez2258 3 жыл бұрын

Awesome John!

@ernestbrant3125 3 жыл бұрын

Great Video John :)

@NTFAQGuy 3 жыл бұрын

Thanks!

@hsmssouza 2 жыл бұрын

Very good content!!

@johnscott2555 2 жыл бұрын

Excellent job!!

@NTFAQGuy 2 жыл бұрын

Thank you!

@techcloudshaikh9533 Жыл бұрын

Thanks for sharing this

@kennyyu7340 2 жыл бұрын

Great Video!

@ragulansivabalakrishnan3262 2 жыл бұрын

Great explanation John as ever. Does "encryption at host" mitigate someone downloading a data VHD from the Azure subscription and attaching on another VM to extract the data? ADE mitigates against this as you will need the key as well to extract the data?

@NTFAQGuy 2 жыл бұрын

@gauravsharma8220 3 жыл бұрын

great once again

@NTFAQGuy 3 жыл бұрын

Thank you

@salmikhan 3 жыл бұрын

thanks, john. just recently cleared my az 900. your videos are so underrated. should have been more views and followers. wondering what do you recommend should I go for az 104 or should I get any paid course to prepare for it. and also how much study is required to pass az104.

@NTFAQGuy 3 жыл бұрын

Congrats. Amount of study varies by person so don’t really have recommendation there, sorry.

@kristurk1 3 жыл бұрын

Really interesting John. Do you think a move to disk encryption sets and host based encryption will also see a move to Gen2 VM's?

@NTFAQGuy 3 жыл бұрын

I think over time especially when all vm sizes are supported and gen2 already has some features gen1 does not. Definitely removing ADE removes a block to gen2

@vak21 3 жыл бұрын

Hi John. Thanks for the excellent explanation. May I ask something that's been on my head for a long time? I couldn't find documents on it. Under the BYOK approach, I understand that the DEK (Data encryption keys) are fully managed my Azure. I understand that they are automatically rotated by Azure. How often are they rotated? (I understand there is not a single DEK, but multiple of them. Therefore each one with different life cycle and rotation). Thanks a lot!!!

@minuted3400 3 жыл бұрын

Brilliant, many thanks.

@NTFAQGuy 3 жыл бұрын

Glad you enjoyed it

@swiftmind9700 3 жыл бұрын

Great video! I am confused with key rotation. For a situation where a container has a scoped key with customer-managed key, set to automation rotation, does existing blobs stored with the older key version need to be re-encrypted with the new key version? I understand the auto rotation will pick up the new key version for any new blobs being written. I am just wondering about existing/older blobs.

@NTFAQGuy 3 жыл бұрын

Blobs are not actually encrypted with the key as I talked about in the video. Existing are also covered by the rotation

@swiftmind9700 3 жыл бұрын

@@NTFAQGuy Excellent. Thank you for the fast reply! That detail went past me completely. Now I understand.

@bahrammaleki411 3 жыл бұрын

Great stuff, again :)

@NTFAQGuy 3 жыл бұрын

Thanks

@dylanhughes5630 3 жыл бұрын

@john - why would you not do double encryption then? I assume there is no extra charge so should that not just be the default setup?

@NTFAQGuy 3 жыл бұрын

regulatory reasons or just want to be extra sure in case one level was compromised. Encryption has some performance impact so generally you will do it if you need it but not otherwise but either way its not really anything significant.

@giovannidesantis6089 3 жыл бұрын

Hi John! Many thanks as always for your videos. By far, the best Azure training materials on the Internet! This is the first time that I write a comment, since I would have a doubt about the DEKs and KEKs. Surfing the Microsoft documentation, I have always read that the DEK is always present and is Microsoft-managed, while the KEK can be added and can be either customer-managed or customer-provided. Which is a little bit different from what you have said, that is the KEK is always present and can be Microsoft-mananged, customer-managed or customer-provided. Am I completely wrong or is there a typo in your video? Many thanks again John!

@NTFAQGuy 3 жыл бұрын

No kek is always present. It’s just whether the dek is Microsoft managed or customer. You always have to protect the dek and all that changes is where the kek is.

@giovannidesantis6089 3 жыл бұрын

@@NTFAQGuy Many thanks John :)

@robannmateja5000 3 жыл бұрын

Very good video! The floppy tale was told with such a straight face, too! Nice t-shirt; do you have any for sale? :)

@NTFAQGuy 3 жыл бұрын

I don’t remember where I got that shirt. I have a few t shirts in the KZbin store for channel where all profit goes to cure childhood cancer if any of those are interesting :)

@robannmateja5000 3 жыл бұрын

@@NTFAQGuy , I was sort of kidding about the shirt, the subject being about the floppy diskette, but I would love to contribute to the childhood cancer cause.. do you have a URL you can share where I can buy a shirt to help? I'm not familiar with the youtube store. Thanks!

@NTFAQGuy 3 жыл бұрын

@@robannmateja5000 haha, got you. johns-t-shirts-store.creator-spring.com/ is the little t-shirt store. Any support for the charity would be great. Take care.

@robannmateja5000 3 жыл бұрын

@@NTFAQGuy , awesome... I just ordered a few!

@NTFAQGuy 3 жыл бұрын

@@robannmateja5000 Thank you for supporting cure childhood cancer!

@DeusWolf 3 жыл бұрын

Hello John, thanks for another great video. I was under the impression that another benefit of ADE would be preventing someone who'd compromised a privileged Azure account from being able to exfiltrate a disk image and read the contents. Is my understanding of that incorrect? Would the replacement technologies you've mentioned here(Disk Encryption Sets, Host Side Encryption) supplement that element of security? Infrastructure encryption protects me from an Azure employee, or someone who'd breached the physical datacenter, from reading my data but it doesn't prevent an authorized user to that disk from misusing it.

@NTFAQGuy 3 жыл бұрын

If you exfiltrated the azure account then you have same access to the key vault as with des. I don’t see it as different. I could be missing something.

@DeusWolf 3 жыл бұрын

@@NTFAQGuy In an enterprise setting, it wouldn't be unusual for someone to have contributor rights to the RG that contains the OS disk, but not have any permissions to the KeyVault. If their account were compromised and ADE was NOT implemented, the attacker would be able to download the disk(via Disk Export in Portal or programmatically) and read it's contents. If ADE is implemented, and the compromised user doesn't have GET permissions to the KeyVault, the disk can be downloaded but it's contents are encrypted via BitLocker and useless. In fact, because the KeyVault setup for disk encryption isn't handled using an access policy, no one needs to have permissions to that KeyVault(you can create one if/when someone does). As long as the KeyVault is in the same region and subscription, and has the Disk Encryption toggle, it can be used for ADE. You might even have someone in a _Support role that does have management plane access to Azure, and disks, but shouldn't have permissions to read the contents of those disks, ADE would likely be the correct tool in that circumstance as well.

@NTFAQGuy 3 жыл бұрын

@@DeusWolf I’m with you now, yes, makes sense. Would have to really consider though if the account was compromised could attacked them use extensions etc to get at the data in place. Things like restricting network etc may be key for exfiltration.

@dips31089 3 жыл бұрын

@@DeusWolf Valid point in favor of ADE. For the support personnel, maybe have a custom role that restricts the export of VHD?

@methewolf 3 жыл бұрын

Excellent Video, I do have a question, still nobody could answer that: How can I Encrypt MS Stream videos? I fond that these videos are kept in its own service on top of Azure. Can I encrypt any way. My customer needs to encrypt it.

@NTFAQGuy 3 жыл бұрын

i don't know anything about that service, sorry. I would research its security options. It likely is encrypted anyway and maybe has a CMK option. Its documentation would tell you.

@Satjag 3 жыл бұрын

This is encryption at storage or disk level. In case of multi tenancy architecture- If there is a need for application level or Database encryption- How to achieve it- can it be tenant id specific - assuming its 1 physical DB

@NTFAQGuy 3 жыл бұрын

PaaS Databases use their own encryption technologies. Likewise an app typically would not rely on storage alone if multi-tenant. Different options depending on exact technology but you would not rely on the storage account if shared files.

@tilikumtim5562 3 жыл бұрын

Am I right in saying you can't do file level restores with an encrypted disk? Would you have to restore the entire disk and attach it to a vm?

@NTFAQGuy 3 жыл бұрын

There are different ways to backup a VM, inside and outside. That will impact what and how you can restore.

@tilikumtim5562 3 жыл бұрын

@@NTFAQGuy Yes, sorry I should have said using Azure Backup.

@NTFAQGuy 3 жыл бұрын

@@tilikumtim5562 So if you use ADE then yes there are limits to what backup can do because its encrypted inside. If its disk level (not ADE) then that does not apply.

@tilikumtim5562 3 жыл бұрын

@@NTFAQGuy Thanks, appreciate the reply.