Vault Generate Key Application Authentication

  1. Vault Generate Key Application Authentication Download
  2. Vault Generate Key Application Authentication Pdf
-->

The new release of Azure Disk Encryption eliminates the requirement for providing an Azure AD application parameter to enable VM disk encryption. With the new release, you are no longer required to provide Azure AD credentials during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters using the new release. To view instructions to enable VM disk encryption using the new release, see Azure Disk Encryption. VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.

Azure Key Vault is a pretty handy way of centrally managing access to secrets and logging what process has requested access to them. The best way to use it is for Azure hosted resources such as Web Applications or VMs for which you can assign a managed identity to the resource and grant this identity access to the vault. Azure Key Vault is a pretty handy way of centrally managing access to secrets and logging what process has requested access to them. The best way to use it is for Azure hosted resources such as Web Applications or VMs for which you can assign a managed identity to the resource and grant this identity access to the vault. However, if you want to access vault secrets from a console application. Token authentication is enabled by default in Vault and cannot be disabled. When you start a dev server with vault server -dev, it prints your root token. The root token is the initial access token to configure Vault. It has root privileges, so it can perform any operation within Vault. You can create more tokens using the vault token create command.

Azure Disk Encryption uses Azure Key Vault to control and manage disk encryption keys and secrets. For more information about key vaults, see Get started with Azure Key Vault and Secure your key vault.

First, we need to create an Azure AD application and set it up to use certificate-based authentication. Create a new service principal for the AD application and associate that with the Azure Key Vault. Authorize the AD application with the permissions required. In this case, I am providing all access to keys and secrets. Apr 17, 2017  There are two ways to authenticate a web application in KeyVault. You can store a simple client identifier and client secret in the app settings. This is a rather bad approach as it once again gives access to the KeyVault values. A better is approach is to authenticate the web application using a. Azure Key Vault documentation Learn how to use Key Vault to create and maintain keys that access and encrypt your cloud resources, apps, and solutions. Tutorials, API references, and more.

Creating and configuring a key vault for use with Azure Disk Encryption with Azure AD (previous release) involves three steps:

  1. Create a key vault.
  2. Set up an Azure AD application and service principal.
  3. Set the key vault access policy for the Azure AD app.
  4. Set key vault advanced access policies.

You may also, if you wish, generate or import a key encryption key (KEK).

See the main Creating and configuring a key vault for Azure Disk Encryption article for steps on how to Install tools and connect to Azure.

Note

The steps in this article are automated in the Azure Disk Encryption prerequisites CLI script and Azure Disk Encryption prerequisites PowerShell script.

Create a key vault

Azure Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. You can create a key vault or use an existing one for Azure Disk Encryption. For more information about key vaults, see Get started with Azure Key Vault and Secure your key vault. You can use a Resource Manager template, Azure PowerShell, or the Azure CLI to create a key vault.

Azure

Warning

In order to make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same region as the VM to be encrypted.

Create a key vault with PowerShell

You can create a key vault with Azure PowerShell using the New-AzKeyVault cmdlet. For additional cmdlets for Key Vault, see Az.KeyVault.

  1. Create a new resource group, if needed, with New-AzResourceGroup. To list data center locations, use Get-AzLocation.

  2. Create a new key vault using New-AzKeyVault

  3. Note the Vault Name, Resource Group Name, Resource ID, Vault URI, and the Object ID that are returned for later use when you encrypt the disks.

Create a key vault with Azure CLI

You can manage your key vault with Azure CLI using the az keyvault commands. To create a key vault, use az keyvault create.

  1. Create a new resource group, if needed, with az group create. To list locations, use az account list-locations

  2. Create a new key vault using az keyvault create.

  3. Note the Vault Name (name), Resource Group Name, Resource ID (ID), Vault URI, and the Object ID that are returned for use later.

Create a key vault with a Resource Manager template

You can create a key vault by using the Resource Manager template.

  1. On the Azure quickstart template, click Deploy to Azure.
  2. Select the subscription, resource group, resource group location, Key Vault name, Object ID, legal terms, and agreement, and then click Purchase.

Set up an Azure AD app and service principal

When you need encryption to be enabled on a running VM in Azure, Azure Disk Encryption generates and writes the encryption keys to your key vault. Managing encryption keys in your key vault requires Azure AD authentication. Create an Azure AD application for this purpose. For authentication purposes, you can use either client secret-based authentication or client certificate-based Azure AD authentication.

Set up an Azure AD app and service principal with Azure PowerShell

To execute the following commands, get and use the Azure AD PowerShell module.

  1. Use the New-AzADApplication PowerShell cmdlet to create an Azure AD application. MyApplicationHomePage and the MyApplicationUri can be any values you wish.

  2. The $azureAdApplication.ApplicationId is the Azure AD ClientID and the $aadClientSecret is the client secret that you will use later to enable Azure Disk Encryption. Safeguard the Azure AD client secret appropriately. Running $azureAdApplication.ApplicationId will show you the ApplicationID.

Set up an Azure AD app and service principal with Azure CLI

You can manage your service principals with Azure CLI using the az ad sp commands. For more information, see Create an Azure service principal.

  1. Create a new service principal.

  2. The appId returned is the Azure AD ClientID used in other commands. It's also the SPN you'll use for az keyvault set-policy. The password is the client secret that you should use later to enable Azure Disk Encryption. Safeguard the Azure AD client secret appropriately.

Set up an Azure AD app and service principal though the Azure portal

Use the steps from the Use portal to create an Azure Active Directory application and service principal that can access resources article to create an Azure AD application. Each step listed below will take you directly to the article section to complete.

  1. Create an Azure Active Directory application
    • You can use any name and sign-on URL you would like when creating the application.
  2. Get the application ID and the authentication key.
    • The authentication key is the client secret and is used as the AadClientSecret for Set-AzVMDiskEncryptionExtension.
      • The authentication key is used by the application as a credential to sign in to Azure AD. In the Azure portal, this secret is called keys, but has no relation to key vaults. Secure this secret appropriately.
    • The application ID will be used later as the AadClientId for Set-AzVMDiskEncryptionExtension and as the ServicePrincipalName for Set-AzKeyVaultAccessPolicy.

Set the key vault access policy for the Azure AD app

To write encryption secrets to a specified Key Vault, Azure Disk Encryption needs the Client ID and the Client Secret of the Azure Active Directory application that has permissions to write secrets to the Key Vault.

Note

Azure Disk Encryption requires you to configure the following access policies to your Azure AD client application: WrapKey and Set permissions.

Set the key vault access policy for the Azure AD app with Azure PowerShell

Your Azure AD application needs rights to access the keys or secrets in the vault. Use the Set-AzKeyVaultAccessPolicy cmdlet to grant permissions to the application, using the client ID (which was generated when the application was registered) as the –ServicePrincipalName parameter value. To learn more, see the blog post Azure Key Vault - Step by Step.

  1. Set the key vault access policy for the AD application with PowerShell.

Set the key vault access policy for the Azure AD app with Azure CLI

Use az keyvault set-policy to set the access policy. For more information, see Manage Key Vault using CLI 2.0.

Give the service principal you created via the Azure CLI access to get secrets and wrap keys with the following command:

Set the key vault access policy for the Azure AD app with the portal

Vault Generate Key Application Authentication
  1. Open the resource group with your key vault.
  2. Select your key vault, go to Access Policies, then click Add new.
  3. Under Select principal, search for the Azure AD application you created and select it.
  4. For Key permissions, check Wrap Key under Cryptographic Operations.
  5. For Secret permissions, check Set under Secret Management Operations.
  6. Click OK to save the access policy.

Set key vault advanced access policies

The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. Enable disk encryption on the key vault or deployments will fail.

Set key vault advanced access policies with Azure PowerShell

Use the key vault PowerShell cmdlet Set-AzKeyVaultAccessPolicy to enable disk encryption for the key vault.

  • Enable Key Vault for disk encryption: EnabledForDiskEncryption is required for Azure Disk encryption.

  • Enable Key Vault for deployment, if needed: Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

  • Enable Key Vault for template deployment, if needed: Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.

Set key vault advanced access policies using the Azure CLI

Use az keyvault update to enable disk encryption for the key vault.

  • Enable Key Vault for disk encryption: Enabled-for-disk-encryption is required.

  • Enable Key Vault for deployment, if needed: Allow Virtual Machines to retrieve certificates stored as secrets from the vault.

  • Enable Key Vault for template deployment, if needed: Allow Resource Manager to retrieve secrets from the vault.

Set key vault advanced access policies through the Azure portal

  1. Select your keyvault, go to Access Policies, and Click to show advanced access policies.
  2. Select the box labeled Enable access to Azure Disk Encryption for volume encryption.
  3. Select Enable access to Azure Virtual Machines for deployment and/or Enable Access to Azure Resource Manager for template deployment, if needed.
  4. Click Save.

Set up a key encryption key (optional)

If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. Use the Add-AzKeyVaultKey cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises key management HSM. For more information, see Key Vault Documentation. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.

  • When generating keys, use an RSA key type. Azure Disk Encryption does not yet support using Elliptic Curve keys.

  • Your key vault secret and KEK URLs must be versioned. Azure enforces this restriction of versioning. For valid secret and KEK URLs, see the following examples:

    • Example of a valid secret URL:https://contosovault.vault.azure.net/secrets/EncryptionSecretWithKek/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    • Example of a valid KEK URL:https://contosovault.vault.azure.net/keys/diskencryptionkek/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • Azure Disk Encryption doesn't support specifying port numbers as part of key vault secrets and KEK URLs. For examples of non-supported and supported key vault URLs, see the following examples:

    • Unacceptable key vault URLhttps://contosovault.vault.azure.net:443/secrets/contososecret/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    • Acceptable key vault URL:https://contosovault.vault.azure.net/secrets/contososecret/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Set up a key encryption key with Azure PowerShell

Before using the PowerShell script, you should be familiar with the Azure Disk Encryption prerequisites to understand the steps in the script. The sample script might need changes for your environment. This script creates all Azure Disk Encryption prerequisites and encrypts an existing IaaS VM, wrapping the disk encryption key by using a key encryption key.

Certificate-based authentication (optional)

If you would like to use certificate authentication, you can upload one to your key vault and deploy it to the client. Before using the PowerShell script, you should be familiar with the Azure Disk Encryption prerequisites to understand the steps in the script. The sample script might need changes for your environment.

Vault Generate Key Application Authentication Download

Certificate-based authentication and a KEK (optional)

If you would like to use certificate authentication and wrap the encryption key with a KEK, you can use the below script as an example. Before using the PowerShell script, you should be familiar with all of the previous Azure Disk Encryption prerequisites to understand the steps in the script. The sample script might need changes for your environment.

Important

Azure AD certificate-based authentication is currently not supported on Linux VMs.

Vault Generate Key Application Authentication Pdf

Next steps