AKS | Bring your own keys (BYOK) with Azure disks

Hi!

The « Bring your own keys » (BYOK) capability for Azure disks is now supported in preview within AKS.

By default, data is safeguarded using Microsoft-managed keys, ensuring a high level of protection. For enhanced control over encryption keys, the option exists to provide customer-managed keys. This empowers you to utilize your chosen keys for encrypting both the operating system and data disks associated with your AKS clusters, thereby granting you an added layer of encryption customization.

Enabling encryption with customer-managed keys for the OS disk is exclusively possible during the initial creation phase of an AKS cluster. When opting to encrypt a node pool equipped with ephemeral OS disks using customer-managed keys, a key rotation process within Azure Key Vault necessitates the following steps:

  1. Decrease the node pool count to 0.
  2. Initiate the key rotation process.
  3. Restore the node pool count to its original value.

By adhering to these steps, you can effectively ensure the secure rotation of keys for enhanced encryption within your AKS environment.

Register the preview feature
az extension add --name aks-preview
az extension update --name aks-preview
az feature register --namespace "Microsoft.ContainerService" --name "EnableBYOKOnEphemeralOSDiskPreview"
az feature show --namespace "Microsoft.ContainerService" --name "EnableBYOKOnEphemeralOSDiskPreview"
az provider register --namespace Microsoft.ContainerService

Create a KeyVault
az group create -l myAzureRegionName -n myResourceGroup
az keyvault create -n myKeyVaultName -g myResourceGroup -l myAzureRegionName  --enable-purge-protection true

Create an instance of a DiskEncryptionSet
keyVaultId=$(az keyvault show --name myKeyVaultName --query "[id]" -o tsv)
keyVaultKeyUrl=$(az keyvault key show --vault-name myKeyVaultName --name myKeyName --query "[key.kid]" -o tsv)
az disk-encryption-set create -n myDiskEncryptionSetName  -l myAzureRegionName  -g myResourceGroup --source-vault $keyVaultId --key-url $keyVaultKeyUrl

Create a new AKS cluster and encrypt the OS disk
diskEncryptionSetId=$(az disk-encryption-set show -n mydiskEncryptionSetName -g myResourceGroup --query "[id]" -o tsv)
az group create -n myResourceGroup -l myAzureRegionName
az aks create -n myAKSCluster -g myResourceGroup --node-osdisk-diskencryptionset-id $diskEncryptionSetId --generate-ssh-keys --node-osdisk-type Managed
az aks create -n myAKSCluster -g myResourceGroup --node-osdisk-diskencryptionset-id $diskEncryptionSetId --generate-ssh-keys --node-osdisk-type Ephemeral --node-vm-size Standard_DS3_v2
az aks nodepool add --cluster-name $CLUSTER_NAME -g $RG_NAME --name $NODEPOOL_NAME --node-osdisk-type Ephemeral


Encrypt your AKS cluster data disk
kind: StorageClass
apiVersion: storage.k8s.io/v1  
metadata:
  name: byok
provisioner: disk.csi.azure.com # replace with "kubernetes.io/azure-disk" if aks version is less than 1.21
parameters:
  skuname: StandardSSD_LRS
  kind: managed
  diskEncryptionSetID: "/subscriptions/{myAzureSubscriptionId}/resourceGroups/{myResourceGroup}/providers/Microsoft.Compute/diskEncryptionSets/{myDiskEncryptionSetName}"


az aks get-credentials --name myAksCluster --resource-group myResourceGroup --output table
kubectl apply -f byok-azure-disk.yaml

Source: https://learn.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys

Maxime.

Private Endpoint support for Malware Scanning in Defender for Storage

Hi!

I wanted to inform you that Private Endpoint support is now available as part of the Malware Scanning public preview in Defender for Storage. If you’re unfamiliar with the Malware Scanning feature in Defender for Storage, I highly recommend reading this informative blog post.

This exciting capability allows you to enable Malware Scanning on storage accounts that utilize private endpoints. By leveraging private endpoints, you can establish secure connectivity to your Azure Storage services, effectively eliminating any exposure to the public internet. This security measure aligns with the best practices for safeguarding your data.

If you already have Malware Scanning enabled on storage accounts with private endpoints, it’s important to note that you will need to disable and re-enable the plan with Malware Scanning for this new feature to work seamlessly.

Maxime.

Microsoft MVP Azure & Security 2023-2024 !

Hi!

I am thrilled to share the news that I have been renewed as a Microsoft MVP in two categories: Microsoft Azure and Security for the year 2023-2024. It fills me with immense pride to be a part of this vibrant community and to have the opportunity to continue sharing my knowledge.

I would like to express my heartfelt gratitude to the Microsoft MVP Award team, specifically Betsy and Rochelle, for their unwavering support. I would also like to extend my thanks to all my colleagues, blog readers, and commentators who have been a constant source of inspiration and encouragement. Congratulations to all the new and renewed MVPs!

Maxime.