Volume encryption for Azure
You can encrypt disks in Azure using the following methods:
Default encryption, using Platform Managed Key (PMK)
Customer Managed Key (CMK) using Azure Key vault
Double Encryption at rest
For more information on Azure encryption, refer to 'Data encryption models' section of Microsoft Azure documentation.
Table: Encryption for creating snapshots
Disk encryption | Snapshot encryption |
|---|---|
Platform Managed Key (PMK) | Same PMK is used as the source disk. |
Customer Managed Key (CMK) | Same CMK is used as the source disk. |
Double Encryption (PMK_CMK) | Same CMK is used as the source disk. |
Table: Encryption for restoring snapshots
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Same PMK is used as the snapshot. |
CMK | Same CMK is used as the snapshot. |
PMK_CMK | Same CMK is used as the snapshot. |
Table: Encryption for restoring from backup
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Same PMK is used as the source disk. |
CMK | Same CMK is used as the source disk. |
PMK_CMK | Same CMK is used as the source disk, else PMK is used. |
Table: Encryption during VM restore from snapshot or backup
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Encryption on disk can be PMK/CMK as per user selection during restore. |
CMK | Encryption on disk can be PMK/CMK as per user selection during restore. |
PMK_CMK | Encryption on disk can be PMK/CMK/PMK_CMK as per user selection during restore. |
To enable restore from snapshot or backups of VM with CMK encrypted disks, assign the following permissions to the key vault used for encryption:
Create new access policy in the desired Key Vault.
For more information on Key Vault access policy, refer to 'Assign a Key Vault access policy' section of Microsoft Azure documentation.
Add the following permissions under Permissions tab from the respective sections under Key Permissions:
Section
Permission
Key Management Operations
Get
Cryptographic Operations
Wrap Key
Unwrap Key
In the Principal tab, select Object ID of service principal used in provider configuration.
Review and create access policy.
Follow Step 1 to Step 4 to assign same permissions for the ObjectID of service principal of Disk Encryption Set.
Key vault: Azure role-based access control permission
When key vault is created with Azure role-based access control permission model:
Add a role with permission and assign application service principal to it.
Similarly add permission and assign application service principal to it.
For more information refer to 'Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control' section of Microsoft Azure documentation.
System managed identity: Enabled
If system managed identity is enabled on NetBackup Snapshot Manager, assign the following roles to the managed identity:
Role | Managed identity |
|---|---|
Key Vault Reader | Virtual machine scale set |
Key Vault Secrets officer | Virtual machine scale set |
Key Vault Crypto Service Encryption User | App (Disk Encryption Set) |
User managed identity: Enabled
If user managed identity is enabled on NetBackup Snapshot Manager, then assign the role to the user managed identity in the key vault.