Edit

Set-up customer-managed-key (CMK) encryption within an enclave

The fastest way to deploy customer managed keys to be compliant with the Azure Enclave policy requiring CMK is through the Common Dependencies service catalog template.

Several types of encryption are available for securing your data on managed disks and other Azure PaaS services, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and encryption at host. In accordance with Azure Enclave default governance and cybersecurity posture requires customer-managed-key encryption for all resources deployed in an enclave.

Prerequisites for manual deployment method

  • Portal Access from Admin VM (192.168.x.x/26 usually).
    • Create community endpoint to Azure portal and Microsoft Azure services.
      • A default endpoint can be created within the community that defines access to common Microsoft sites and endpoints. If so you can skip this step.
    • Create enclave connection to community endpoint.
  • You have the Key Vault Contributor role on the key vault or workload resource group that contains the key vault.

Steps in this guide

Enclave Key Vault

Every enclave is deployed with an Azure Key Vault in the default resource group for enclave infrastructure. Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. By default, enclave contributors should be able to upload keys, secrets, or certificates to the enclave Key Vault and utilize existing Azure capabilities and design patterns of other Azure services to support CMK encryption.

Examples of setting-up CMK encryption are provided in the next steps, with more detailed instructions or articles provided.

Create a Key in a Key Vault

Disk encryption sets (Windows IaaS)

Azure PaaS example (Storage account)

Create CMK from the Service Catalog (fastest and easiest)

Follow these instructions to create a key vault from the Service Catalog of validated templates for common Azure services.

Create CMK via the Portal

Alternatively, CMK can be created via the Portal

Steps in this guide

  1. Sign in to Admin VM.
  2. Create Access Policy from Admin VM.
  3. Generate Key for CMK in Key Vault.

Enable Enclave access to the Azure portal

Key vault access is restricted to the KV virtual network so the key vault Key needs to be created from the Azure portal from within the Admin VM.

Sign in to Admin VM

Follow these Admin VM instructions to sign in.

Update Key Vault from Admin VM

  1. After Admin VM sign in, open Microsoft Edge (for example, via the Start Menu).
  2. Navigate to https://portal.azure.com or the domain specific portal URL.

Create Access Policy from Admin VM

Key vault access is restricted to the KV virtual network so the key vault Key needs to be created from the Azure portal from within the Admin VM.

  1. From the portal, navigate to the Key Vault and select the Access Policy on the left side.
  2. Select Create.
  3. Select the "Configure from a template" dropdown and select Key Management.
  4. Select Next to the Principle tab.
  5. Enter your username in the search bar and select your user account.
  6. Select Next and then Create.

Generate Key for CMK in Key Vault

  1. From the portal, navigate to the Key Vault and select the Keys on the left side.
  2. Select Generate/Import.
  3. Enter the name for the new key.
  4. Select Create. The default options should create an RSA 2048 key.
  5. Copy the key name you created.
  6. You can sign out of the Admin VM.

Create a user-assigned managed identity

Create a user-assigned managed identity for the enclave.

Further reading