Home » , , » Resolved! Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

Resolved! Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources



Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

There are multiple ways to encrypt the machines to make them secure. Azure provides the solution by itself to make them encrypt the operating system and virtual machine disk to make them secure. The policy "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources" was faced by me when I used ISO 27001:2013 in my project. So Here I will give you the solution to solve this policy using portal/bicep and also what condition are required.

The following project will help you to solve the following queries:

  • How to implement encryption on Azure Linux Virtual Machines OS and Disks using Portal?
  • How to implement encryption on Azure Linux Virtual Machines OS and Disks using Bicep?
  • How to implement encryption on Azure Linux Virtual Machines OS and Disks using ARM Templates?
  • How to resolve "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources" Policy?

Requirement

To implement the policy there are multiple ways but we will discuss here the use of portal and bicep. So to implement the encryption just make sure the following two setting:
  • Encryption at host
  • Enable Ultra Disk Compatibility
  • Azure Disk Encryption for Volume Encryption

Azure Disk Encryption for Volume Encryption

  • Make sure this setting is enabled.
Azure Disk Encryption for Volume Encryption

Encryption at host, Enable Ultra Disk Compatibility

Method 1: Disable during creation of Virtual Machines

Enable Ultra Disk compatibility, Encryption at host

Method 2: Disable after Creation of Virtual Machines

  • Turn off the Virtual Machine
  • Go to the following directory: 
    • VM > Disks > Additional Settings
Enable Ultra Disk compatibility, Encryption at host
  • Disable Both of these options.
Enable Ultra Disk compatibility, Encryption at host

Implementation

To implement the OS Disk, you can use both the portal and bicep. 

Portal: To implement the solution using portal go to the following window and then add it. 

Note: To implement it just make sure virtual machine is running
  • To implement the solution go to the following window and open the addition setting:
Enable Ultra Disk compatibility, Encryption at host
  • Then select the key from key vault which you will have to generate in key vault
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

Bicep: To implement the solution using bicep
  • Add the following extension with some parameters.
@description('Encryption of VM Disk')
resource dikskEncrypt 'Microsoft.Compute/virtualMachines/extensions@2018-10-01' = {
  name: 'AzureDiskEncryptionForLinux'
  parent: virtualMachine
  location: location
  properties: {
    publisher: 'Microsoft.Azure.Security'
    type: 'AzureDiskEncryptionForLinux'
    typeHandlerVersion: '1.1'
    autoUpgradeMinorVersion: true
    forceUpdateTag: '1.0'
    settings: {
      EncryptionOperation: 'EnableEncryption'
      KeyVaultURL: '<Enter Keyvault URL Here>'
      KeyVaultResourceId: '<Enter Keyvault Resource ID>'
      KeyEncryptionAlgorithm: 'RSA-OAEP'
      VolumeType: 'All'
      KeyEncryptionKeyURL: '<Enter Keyvault URL with version>'
      KekVaultResourceId: '<Enter Keyvault Resource ID>'
      SequenceVersion: '<Enter Sequence Version: Detail>'
    }
  }
}
  • The bicep has some parameters which needs to be enter, for "KeyEncryptionKeyURL" the url should be in this following format.
https://<Keyvault Name>.vault.azure.net/keys/<Encryption Key Name>/<Encryption Version Name>

That's all to do the job. Keep me update in case you find the issue. 🙂 

Labels: , ,

Post a Comment


 
Back to Top