(4) AZ-500 Implement virtual machine host security in Azure
Azure Disk Encryption (ADE) makes use of VM operating system tools (2)
- BitLocker - DM-Crypt
The main encryption-based disk protection technologies for Azure VMs are: (2)
- Storage Service Encryption (SSE) - Azure Disk Encryption (ADE)
Running templates in the Azure portal under
Create a resource > Template Deployment (to locate and run defined templates in the portal)
What is Encryption?
Encryption is about converting meaningful information into something that appears meaningless, such as a random sequence of letters and numbers.
PowerShell command for running templates
New-AzResourceGroupDeployment
CLI command for running templates
azure group deployment create
Azure Disk Encryption requires that your key vault and your VMs are in the same Azure region; this ensures that
encryption secrets do not cross regional boundaries
SSE
storage service encryption
BitLocker Drive Encryption is a data protection feature that integrates with
the OS
Azure Disk Encryption (ADE) is managed by
the VM owner
Storage Service Encryption is performed on
the physical disks in the data center
If VHD is protected with ADE, the disk image will only be accessible by
the virtual machine that owns the disk
Azure Disk Encryption encrypts the virtual machine's
virtual hard disks (VHDs)
Before you can encrypt your VM disks, you need to (3)
- Create a key vault - Set the key vault access policy to support disk encryption - Use the key vault to store the encryption keys for ADE
Storage Service Encryption is enabled by default using
256-bit AES encryption (managed by the storage account administrator)
Symmetric encryption (same key)
Algorithms that use symmetric keys, such as Advanced Encryption Standard (AES), are typically faster than public key algorithms, and are often used for protecting large data stores
ADE
Azure Disk Encryption
What is Azure Key Vault?
Azure Key Vault is a tool for securely storing and accessing secrets
When you enable Azure Disk Encryption (ADE) on a Windows virtual machine (VM), what does it use to encrypt the data on your virtual hard disks? - DM-Crypt - BitLocker - Azure Key Vault
Bitlocker
Suppose you create a new VM with a single OS disk and a single data disk. You use the default options when you create the VM. You don't have an Azure Key Vault set up in your subscription. Which option most accurately describes the encryption state of those disks? - Both disks are unencrypted. - The OS disk is encrypted using Storage Service Encryption (SSE). The data disk is unencrypted. - Both disks are encrypted using Storage Service Encryption.
Both disks are encrypted using Storage Service Encryption.
Storage Service Encryption affect the performance of Azure storage services (true/false)
False (Storage Service Encryption does not affect the performance of Azure storage services)
Storage Service Encryption is enabled for all new and existing storage accounts and can be disabled (true/false)
False (Storage Service Encryption is enabled for all new and existing storage accounts and cannot be disabled)
You need to modify your code or applications to take advantage of Storage Service Encryption (true/false)
False (you don't need to modify your code or applications to take advantage of Storage Service Encryption)
FIPS
Federal Information Processing Standards
What are Azure Resource Manager templates?
Resource Manager templates are JSON files used to define a set of resources to deploy to Azure
To use Azure Key Vault with ADE, what policy do you need to set? - Configure an access policy to permit at least one security principal. - Create an access policy to allow template deployment. - Set the key vault access policy to support disk encryption.
Set the key vault access policy to support disk encryption.
ADE does not support the encryption of Basic tier VMs, and you cannot use an on-premises Key Management Service (KMS) with ADE. (true/false)
True
Asymmetric encryption (private/public key pair)
With asymmetric algorithms, only the private key member of the pair must be kept private and secure; as its name suggests, the public key can be made available to anyone without compromising the encrypted data. (Much slower)
