Azure Storage and Disk Encryption Deep Dive

Рет қаралды 27,355

Күн бұрын

In this video I dive into the encryption options for Azure Storage and disks in Azure including customer managed key, disk encryption sets, encryption scope, infrastructure encryption, host-based encryption and more!
00:00 Introduction
00:10 John talking gibberish
00:30 Azure Storage account encryption
02:25 How data is encrypted
04:20 Customer managed key
07:40 Double encryption
10:50 Encryption scopes
15:25 Disk introduction
16:38 Default disk encryption
17:25 CMK with disk encryption sets
21:28 Azure Disk Encryption inside the OS
25:30 ADE and DES don't mix
26:55 Host-based encryption
33:00 Key rotation
33:43 Close

Пікірлер: 89

@joebrady9829 23 күн бұрын

Your videos are some of the best tech videos I've ever seen (and I've been a professional dev for 10 years), keep up the great work! It's also remarkable you never say "um" or "uh" or repeat yourself, concise and to the point

@NTFAQGuy 23 күн бұрын

That’s very kind. Pretty sure I do “um” sometimes :)

@honeychook 4 ай бұрын

This is some really high quality content! It has been hard to find out WHY we need a DES instead of just connecting to the key vault. It kind of makes sense now to have that middle layer between the disks.

@iamdedlok 3 жыл бұрын

I am back to this video after 3 weeks again! Gem of content! Wanted to check the difference between Disk Encryption Set (DES) vs ADE .. and voila John has already explained this. Legend! Basically, I am trying to import into Terraform an Azure Windows VM created from VHD. Unfortunately, the azurerm_windows_virtual_machine resource doesn't allow importing a VM resource with existing attached managed os disk. We have to use the legacy azurerm_virtual_machine resource but then this doesn't support DES . So have to fallback to using ADE using extensions for this scenario . Cheers John!

@iamdedlok 3 жыл бұрын

Awesome coverage of encryption of storage John! Thanks! Cleared up a few confusions! Salut!

@alikhalighi 2 жыл бұрын

This is really nice and professionally explained . I ve been digging on encryption and found this very useful and through .

@ZlatkaMitrevska Жыл бұрын

Great content.. I'm pretty new with all Azure stuff and couldn't understand a lot of things from just reading it.. This is it! Very helpful and descriptive, just the right way to understand it. And not just this topic, all of your videos are awesome :) Keep rocking!

@PrashantSharma-ql4yb Жыл бұрын

This is priceless content. Thank you for creating this!

@oliviermalfroidt6405 3 жыл бұрын

Again, your presentation is so valuable. Thx John.

@NTFAQGuy 3 жыл бұрын

I appreciate that!

@christianibiri 3 жыл бұрын

Awesome! your videos are the best of the best :)

@joshuaeuceda4635 2 жыл бұрын

Well done John! It helped clarify some ambiguity around storage encryption,Thank you!

@NTFAQGuy 2 жыл бұрын

Very welcome!

@idrisfl 3 жыл бұрын

Nice video (like always) John!

@NTFAQGuy 3 жыл бұрын

Thank you!

@vak21 3 жыл бұрын

Hi John. Thanks for the excellent explanation. May I ask something that's been on my head for a long time? I couldn't find documents on it. Under the BYOK approach, I understand that the DEK (Data encryption keys) are fully managed my Azure. I understand that they are automatically rotated by Azure. How often are they rotated? (I understand there is not a single DEK, but multiple of them. Therefore each one with different life cycle and rotation). Thanks a lot!!!

@anshulfreedom 2 жыл бұрын

Only video which has clear the doubt between ADE & SSE

@gianit7185 2 жыл бұрын

Thanks a lot, very useful video and very well explained!

@sccfranciscobustos197 2 жыл бұрын

I'm really a fan of your T-shirts, John, they're the best!

@sveinungchr 3 жыл бұрын

Thank you for your great videos. Did my az-104 today and passed. Your videos really helped. Have 303 and 304 planed for the next weeks

@NTFAQGuy 3 жыл бұрын

Congrats! Nice job.

@insights3005 3 жыл бұрын

very high quality presentation

@NTFAQGuy 3 жыл бұрын

Thank you

@fredpo620 Жыл бұрын

You are the best ! Thanks for this great content!! Subscribed!

@NTFAQGuy Жыл бұрын

Thanks for the sub!

@yulaw3289 Ай бұрын

enjoying this video for today learning, thanks a lot!

@NTFAQGuy Ай бұрын

Happy to hear that!

@techcloudshaikh9533 Жыл бұрын

Thanks for sharing this

@salmikhan 3 жыл бұрын

thanks, john. just recently cleared my az 900. your videos are so underrated. should have been more views and followers. wondering what do you recommend should I go for az 104 or should I get any paid course to prepare for it. and also how much study is required to pass az104.

@NTFAQGuy 3 жыл бұрын

Congrats. Amount of study varies by person so don’t really have recommendation there, sorry.

@giovannidesantis6089 3 жыл бұрын

Hi John! Many thanks as always for your videos. By far, the best Azure training materials on the Internet! This is the first time that I write a comment, since I would have a doubt about the DEKs and KEKs. Surfing the Microsoft documentation, I have always read that the DEK is always present and is Microsoft-managed, while the KEK can be added and can be either customer-managed or customer-provided. Which is a little bit different from what you have said, that is the KEK is always present and can be Microsoft-mananged, customer-managed or customer-provided. Am I completely wrong or is there a typo in your video? Many thanks again John!

@NTFAQGuy 3 жыл бұрын

No kek is always present. It’s just whether the dek is Microsoft managed or customer. You always have to protect the dek and all that changes is where the kek is.

@giovannidesantis6089 3 жыл бұрын

@@NTFAQGuy Many thanks John :)

@pokmnhyu 2 жыл бұрын

Great Video john !

@renatobertolaccini3242 2 жыл бұрын

Thank you, Savill. I was wondering how the relationship between KEK and DEK works. Azure uses the KEK to encrypt the DEK and as a result of this encryption (the hash), I use that hash to finally encrypt the data? (symmetrically)

@NTFAQGuy 2 жыл бұрын

I did discuss that in the video. Hope it helps

@minuted3400 3 жыл бұрын

Brilliant, many thanks.

@NTFAQGuy 3 жыл бұрын

Glad you enjoyed it

@ragulansivabalakrishnan3262 2 жыл бұрын

Great explanation John as ever. Does "encryption at host" mitigate someone downloading a data VHD from the Azure subscription and attaching on another VM to extract the data? ADE mitigates against this as you will need the key as well to extract the data?

@NTFAQGuy 2 жыл бұрын

@hsmssouza 2 жыл бұрын

Very good content!!

@yasserparvez2258 2 жыл бұрын

Awesome John!

@kennyyu7340 Жыл бұрын

Great Video!

@kristurk1 3 жыл бұрын

Really interesting John. Do you think a move to disk encryption sets and host based encryption will also see a move to Gen2 VM's?

@NTFAQGuy 3 жыл бұрын

I think over time especially when all vm sizes are supported and gen2 already has some features gen1 does not. Definitely removing ADE removes a block to gen2

@swiftmind9700 2 жыл бұрын

Great video! I am confused with key rotation. For a situation where a container has a scoped key with customer-managed key, set to automation rotation, does existing blobs stored with the older key version need to be re-encrypted with the new key version? I understand the auto rotation will pick up the new key version for any new blobs being written. I am just wondering about existing/older blobs.

@NTFAQGuy 2 жыл бұрын

Blobs are not actually encrypted with the key as I talked about in the video. Existing are also covered by the rotation

@swiftmind9700 2 жыл бұрын

@@NTFAQGuy Excellent. Thank you for the fast reply! That detail went past me completely. Now I understand.

@bahrammaleki411 3 жыл бұрын

Great stuff, again :)

@NTFAQGuy 3 жыл бұрын

Thanks

@johnscott2555 2 жыл бұрын

Excellent job!!

@NTFAQGuy 2 жыл бұрын

Thank you!

@gauravsharma8220 2 жыл бұрын

great once again

@NTFAQGuy 2 жыл бұрын

Thank you

@dylanhughes5630 3 жыл бұрын

@john - why would you not do double encryption then? I assume there is no extra charge so should that not just be the default setup?

@NTFAQGuy 3 жыл бұрын

regulatory reasons or just want to be extra sure in case one level was compromised. Encryption has some performance impact so generally you will do it if you need it but not otherwise but either way its not really anything significant.

@ernestbrant3125 2 жыл бұрын

Great Video John :)

@NTFAQGuy 2 жыл бұрын

Thanks!

@DeusWolf 3 жыл бұрын

Hello John, thanks for another great video. I was under the impression that another benefit of ADE would be preventing someone who'd compromised a privileged Azure account from being able to exfiltrate a disk image and read the contents. Is my understanding of that incorrect? Would the replacement technologies you've mentioned here(Disk Encryption Sets, Host Side Encryption) supplement that element of security? Infrastructure encryption protects me from an Azure employee, or someone who'd breached the physical datacenter, from reading my data but it doesn't prevent an authorized user to that disk from misusing it.

@NTFAQGuy 3 жыл бұрын

If you exfiltrated the azure account then you have same access to the key vault as with des. I don’t see it as different. I could be missing something.

@DeusWolf 3 жыл бұрын

@@NTFAQGuy In an enterprise setting, it wouldn't be unusual for someone to have contributor rights to the RG that contains the OS disk, but not have any permissions to the KeyVault. If their account were compromised and ADE was NOT implemented, the attacker would be able to download the disk(via Disk Export in Portal or programmatically) and read it's contents. If ADE is implemented, and the compromised user doesn't have GET permissions to the KeyVault, the disk can be downloaded but it's contents are encrypted via BitLocker and useless. In fact, because the KeyVault setup for disk encryption isn't handled using an access policy, no one needs to have permissions to that KeyVault(you can create one if/when someone does). As long as the KeyVault is in the same region and subscription, and has the Disk Encryption toggle, it can be used for ADE. You might even have someone in a _Support role that does have management plane access to Azure, and disks, but shouldn't have permissions to read the contents of those disks, ADE would likely be the correct tool in that circumstance as well.

@NTFAQGuy 3 жыл бұрын

@@DeusWolf I’m with you now, yes, makes sense. Would have to really consider though if the account was compromised could attacked them use extensions etc to get at the data in place. Things like restricting network etc may be key for exfiltration.

@dips31089 2 жыл бұрын

@@DeusWolf Valid point in favor of ADE. For the support personnel, maybe have a custom role that restricts the export of VHD?

@methewolf 3 жыл бұрын

Excellent Video, I do have a question, still nobody could answer that: How can I Encrypt MS Stream videos? I fond that these videos are kept in its own service on top of Azure. Can I encrypt any way. My customer needs to encrypt it.

@NTFAQGuy 3 жыл бұрын

i don't know anything about that service, sorry. I would research its security options. It likely is encrypted anyway and maybe has a CMK option. Its documentation would tell you.

@tilikumtim5562 3 жыл бұрын

Am I right in saying you can't do file level restores with an encrypted disk? Would you have to restore the entire disk and attach it to a vm?

@NTFAQGuy 3 жыл бұрын

There are different ways to backup a VM, inside and outside. That will impact what and how you can restore.

@tilikumtim5562 3 жыл бұрын

@@NTFAQGuy Yes, sorry I should have said using Azure Backup.

@NTFAQGuy 3 жыл бұрын

@@tilikumtim5562 So if you use ADE then yes there are limits to what backup can do because its encrypted inside. If its disk level (not ADE) then that does not apply.

@tilikumtim5562 3 жыл бұрын

@@NTFAQGuy Thanks, appreciate the reply.

@robannmateja5000 2 жыл бұрын

Very good video! The floppy tale was told with such a straight face, too! Nice t-shirt; do you have any for sale? :)

@NTFAQGuy 2 жыл бұрын

I don’t remember where I got that shirt. I have a few t shirts in the KZbin store for channel where all profit goes to cure childhood cancer if any of those are interesting :)

@robannmateja5000 2 жыл бұрын

@@NTFAQGuy , I was sort of kidding about the shirt, the subject being about the floppy diskette, but I would love to contribute to the childhood cancer cause.. do you have a URL you can share where I can buy a shirt to help? I'm not familiar with the youtube store. Thanks!

@NTFAQGuy 2 жыл бұрын

@@robannmateja5000 haha, got you. johns-t-shirts-store.creator-spring.com/ is the little t-shirt store. Any support for the charity would be great. Take care.

@robannmateja5000 2 жыл бұрын

@@NTFAQGuy , awesome... I just ordered a few!

@NTFAQGuy 2 жыл бұрын

@@robannmateja5000 Thank you for supporting cure childhood cancer!

@Satjag 3 жыл бұрын

This is encryption at storage or disk level. In case of multi tenancy architecture- If there is a need for application level or Database encryption- How to achieve it- can it be tenant id specific - assuming its 1 physical DB

@NTFAQGuy 3 жыл бұрын

PaaS Databases use their own encryption technologies. Likewise an app typically would not rely on storage alone if multi-tenant. Different options depending on exact technology but you would not rely on the storage account if shared files.