Azure Disk Encryption Linux VM key rotation

2
votes

So, lets say I've encrypted Linux VM on Azure (boy, the docs are awful). How do I rotate the keys? Is it even possible? Right now I see that Azure offers passphrase encryption. I suppose you can't really "rotate" that?

But let's imagine I've used KEK (key encryption keys) to encrypt passphrase which is used to encrypt Linux VM, I don't think there's a way to rotate that except for remove encryption\enable encryption?

Am I missing something?

vm encoded with Passphrase which is in turn encrypted with kek

1
linuxazureencryptionazure-keyvault
How did you go about encrypting the VM? - Chris Pietschmann
hey did you get the answer I am searching the same? is key rotation of kek is possible in azure ? - cloudbud
no clue yet, i don't think there's a way for this @sonam_sharma - 4c74356b41
yes even I am not able to find any documentation regarding that. - cloudbud
we can rotate the secrets and storage keys ? right - cloudbud

1 Answers

0
votes

Quote:

To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption.

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-faq#how-do-i-rotate-secrets-or-encryption-keys