Azure Storage and Disk Encryption Deep Dive

Поділитися
Вставка
  • Опубліковано 9 лип 2024
  • In this video I dive into the encryption options for Azure Storage and disks in Azure including customer managed key, disk encryption sets, encryption scope, infrastructure encryption, host-based encryption and more!
    00:00 Introduction
    00:10 John talking gibberish
    00:30 Azure Storage account encryption
    02:25 How data is encrypted
    04:20 Customer managed key
    07:40 Double encryption
    10:50 Encryption scopes
    15:25 Disk introduction
    16:38 Default disk encryption
    17:25 CMK with disk encryption sets
    21:28 Azure Disk Encryption inside the OS
    25:30 ADE and DES don't mix
    26:55 Host-based encryption
    33:00 Key rotation
    33:43 Close
  • Наука та технологія

КОМЕНТАРІ • 90

  • @joebrady9829
    @joebrady9829 Місяць тому +1

    Your videos are some of the best tech videos I've ever seen (and I've been a professional dev for 10 years), keep up the great work! It's also remarkable you never say "um" or "uh" or repeat yourself, concise and to the point

    • @NTFAQGuy
      @NTFAQGuy  Місяць тому

      That’s very kind. Pretty sure I do “um” sometimes :)

  • @AmitSingh-mr3cd
    @AmitSingh-mr3cd Місяць тому

    Thank you so much for this insightful video. The topics were explained thoroughly and in detail, which helped to resolve many of the questions I had. Your clear presentation has greatly enhanced my understanding on this cluttered topic ..

  • @iamdedlok
    @iamdedlok 3 роки тому +1

    Awesome coverage of encryption of storage John! Thanks! Cleared up a few confusions! Salut!

  • @alikhalighi
    @alikhalighi 2 роки тому

    This is really nice and professionally explained . I ve been digging on encryption and found this very useful and through .

  • @PrashantSharma-ql4yb
    @PrashantSharma-ql4yb Рік тому +1

    This is priceless content. Thank you for creating this!

  • @ZlatkaMitrevska
    @ZlatkaMitrevska Рік тому

    Great content.. I'm pretty new with all Azure stuff and couldn't understand a lot of things from just reading it.. This is it!
    Very helpful and descriptive, just the right way to understand it. And not just this topic, all of your videos are awesome :)
    Keep rocking!

  • @oliviermalfroidt6405
    @oliviermalfroidt6405 3 роки тому +1

    Again, your presentation is so valuable. Thx John.

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому

      I appreciate that!

  • @christianibiri
    @christianibiri 3 роки тому +1

    Awesome! your videos are the best of the best :)

  • @joshuaeuceda4635
    @joshuaeuceda4635 3 роки тому

    Well done John! It helped clarify some ambiguity around storage encryption,Thank you!

  • @honeychook
    @honeychook 5 місяців тому

    This is some really high quality content! It has been hard to find out WHY we need a DES instead of just connecting to the key vault. It kind of makes sense now to have that middle layer between the disks.

  • @idrisfl
    @idrisfl 3 роки тому +1

    Nice video (like always) John!

  • @gianit7185
    @gianit7185 2 роки тому

    Thanks a lot, very useful video and very well explained!

  • @iamdedlok
    @iamdedlok 3 роки тому +2

    I am back to this video after 3 weeks again! Gem of content! Wanted to check the difference between Disk Encryption Set (DES) vs ADE .. and voila John has already explained this. Legend! Basically, I am trying to import into Terraform an Azure Windows VM created from VHD. Unfortunately, the azurerm_windows_virtual_machine resource doesn't allow importing a VM resource with existing attached managed os disk. We have to use the legacy azurerm_virtual_machine resource but then this doesn't support DES . So have to fallback to using ADE using extensions for this scenario . Cheers John!

  • @pokmnhyu
    @pokmnhyu 3 роки тому

    Great Video john !

  • @anshulfreedom
    @anshulfreedom 2 роки тому

    Only video which has clear the doubt between ADE & SSE

  • @kennyyu7340
    @kennyyu7340 Рік тому

    Great Video!

  • @sccfranciscobustos197
    @sccfranciscobustos197 2 роки тому

    I'm really a fan of your T-shirts, John, they're the best!

  • @fredpo620
    @fredpo620 Рік тому

    You are the best ! Thanks for this great content!! Subscribed!

  • @hsmssouza
    @hsmssouza 2 роки тому

    Very good content!!

  • @yulaw3289
    @yulaw3289 2 місяці тому

    enjoying this video for today learning, thanks a lot!

    • @NTFAQGuy
      @NTFAQGuy  2 місяці тому

      Happy to hear that!

  • @techcloudshaikh9533
    @techcloudshaikh9533 Рік тому

    Thanks for sharing this

  • @yasserparvez2258
    @yasserparvez2258 2 роки тому

    Awesome John!

  • @insights3005
    @insights3005 3 роки тому

    very high quality presentation

  • @bahrammaleki411
    @bahrammaleki411 3 роки тому

    Great stuff, again :)

  • @johnscott2555
    @johnscott2555 2 роки тому

    Excellent job!!

  • @ernestbrant3125
    @ernestbrant3125 2 роки тому

    Great Video John :)

  • @sveinungchr
    @sveinungchr 3 роки тому +2

    Thank you for your great videos. Did my az-104 today and passed. Your videos really helped. Have 303 and 304 planed for the next weeks

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому +1

      Congrats! Nice job.

  • @gauravsharma8220
    @gauravsharma8220 2 роки тому

    great once again

  • @minuted3400
    @minuted3400 3 роки тому

    Brilliant, many thanks.

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому

      Glad you enjoyed it

  • @vak21
    @vak21 3 роки тому

    Hi John. Thanks for the excellent explanation. May I ask something that's been on my head for a long time? I couldn't find documents on it.
    Under the BYOK approach, I understand that the DEK (Data encryption keys) are fully managed my Azure. I understand that they are automatically rotated by Azure. How often are they rotated? (I understand there is not a single DEK, but multiple of them. Therefore each one with different life cycle and rotation).
    Thanks a lot!!!

  • @salmikhan
    @salmikhan 3 роки тому +1

    thanks, john. just recently cleared my az 900. your videos are so underrated. should have been more views and followers. wondering what do you recommend should I go for az 104 or should I get any paid course to prepare for it. and also how much study is required to pass az104.

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому +1

      Congrats. Amount of study varies by person so don’t really have recommendation there, sorry.

  • @giovannidesantis6089
    @giovannidesantis6089 3 роки тому

    Hi John!
    Many thanks as always for your videos. By far, the best Azure training materials on the Internet!
    This is the first time that I write a comment, since I would have a doubt about the DEKs and KEKs.
    Surfing the Microsoft documentation, I have always read that the DEK is always present and is Microsoft-managed, while the KEK can be added and can be either customer-managed or customer-provided. Which is a little bit different from what you have said, that is the KEK is always present and can be Microsoft-mananged, customer-managed or customer-provided.
    Am I completely wrong or is there a typo in your video?
    Many thanks again John!

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому +1

      No kek is always present. It’s just whether the dek is Microsoft managed or customer. You always have to protect the dek and all that changes is where the kek is.

    • @giovannidesantis6089
      @giovannidesantis6089 3 роки тому

      @@NTFAQGuy Many thanks John :)

  • @kristurk1
    @kristurk1 3 роки тому +1

    Really interesting John. Do you think a move to disk encryption sets and host based encryption will also see a move to Gen2 VM's?

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому

      I think over time especially when all vm sizes are supported and gen2 already has some features gen1 does not. Definitely removing ADE removes a block to gen2

  • @ragulansivabalakrishnan3262
    @ragulansivabalakrishnan3262 2 роки тому

    Great explanation John as ever. Does "encryption at host" mitigate someone downloading a data VHD from the Azure subscription and attaching on another VM to extract the data? ADE mitigates against this as you will need the key as well to extract the data?

  • @renatobertolaccini3242
    @renatobertolaccini3242 2 роки тому +1

    Thank you, Savill. I was wondering how the relationship between KEK and DEK works. Azure uses the KEK to encrypt the DEK and as a result of this encryption (the hash), I use that hash to finally encrypt the data? (symmetrically)

    • @NTFAQGuy
      @NTFAQGuy  2 роки тому

      I did discuss that in the video. Hope it helps

  • @dylanhughes5630
    @dylanhughes5630 3 роки тому

    @john - why would you not do double encryption then? I assume there is no extra charge so should that not just be the default setup?

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому

      regulatory reasons or just want to be extra sure in case one level was compromised. Encryption has some performance impact so generally you will do it if you need it but not otherwise but either way its not really anything significant.

  • @methewolf
    @methewolf 3 роки тому

    Excellent Video, I do have a question, still nobody could answer that: How can I Encrypt MS Stream videos? I fond that these videos are kept in its own service on top of Azure. Can I encrypt any way. My customer needs to encrypt it.

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому +1

      i don't know anything about that service, sorry. I would research its security options. It likely is encrypted anyway and maybe has a CMK option. Its documentation would tell you.

  • @swiftmind9700
    @swiftmind9700 2 роки тому

    Great video! I am confused with key rotation. For a situation where a container has a scoped key with customer-managed key, set to automation rotation, does existing blobs stored with the older key version need to be re-encrypted with the new key version? I understand the auto rotation will pick up the new key version for any new blobs being written. I am just wondering about existing/older blobs.

    • @NTFAQGuy
      @NTFAQGuy  2 роки тому +1

      Blobs are not actually encrypted with the key as I talked about in the video. Existing are also covered by the rotation

    • @swiftmind9700
      @swiftmind9700 2 роки тому

      @@NTFAQGuy Excellent. Thank you for the fast reply! That detail went past me completely. Now I understand.

  • @DeusWolf
    @DeusWolf 3 роки тому

    Hello John, thanks for another great video. I was under the impression that another benefit of ADE would be preventing someone who'd compromised a privileged Azure account from being able to exfiltrate a disk image and read the contents. Is my understanding of that incorrect? Would the replacement technologies you've mentioned here(Disk Encryption Sets, Host Side Encryption) supplement that element of security? Infrastructure encryption protects me from an Azure employee, or someone who'd breached the physical datacenter, from reading my data but it doesn't prevent an authorized user to that disk from misusing it.

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому

      If you exfiltrated the azure account then you have same access to the key vault as with des. I don’t see it as different. I could be missing something.

    • @DeusWolf
      @DeusWolf 3 роки тому

      @@NTFAQGuy In an enterprise setting, it wouldn't be unusual for someone to have contributor rights to the RG that contains the OS disk, but not have any permissions to the KeyVault. If their account were compromised and ADE was NOT implemented, the attacker would be able to download the disk(via Disk Export in Portal or programmatically) and read it's contents. If ADE is implemented, and the compromised user doesn't have GET permissions to the KeyVault, the disk can be downloaded but it's contents are encrypted via BitLocker and useless. In fact, because the KeyVault setup for disk encryption isn't handled using an access policy, no one needs to have permissions to that KeyVault(you can create one if/when someone does). As long as the KeyVault is in the same region and subscription, and has the Disk Encryption toggle, it can be used for ADE. You might even have someone in a _Support role that does have management plane access to Azure, and disks, but shouldn't have permissions to read the contents of those disks, ADE would likely be the correct tool in that circumstance as well.

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому

      @@DeusWolf I’m with you now, yes, makes sense. Would have to really consider though if the account was compromised could attacked them use extensions etc to get at the data in place. Things like restricting network etc may be key for exfiltration.

    • @dips31089
      @dips31089 2 роки тому

      @@DeusWolf Valid point in favor of ADE. For the support personnel, maybe have a custom role that restricts the export of VHD?

  • @Satjag
    @Satjag 3 роки тому

    This is encryption at storage or disk level. In case of multi tenancy architecture- If there is a need for application level or Database encryption- How to achieve it- can it be tenant id specific - assuming its 1 physical DB

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому

      PaaS Databases use their own encryption technologies. Likewise an app typically would not rely on storage alone if multi-tenant. Different options depending on exact technology but you would not rely on the storage account if shared files.

  • @tilikumtim5562
    @tilikumtim5562 3 роки тому

    Am I right in saying you can't do file level restores with an encrypted disk? Would you have to restore the entire disk and attach it to a vm?

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому +1

      There are different ways to backup a VM, inside and outside. That will impact what and how you can restore.

    • @tilikumtim5562
      @tilikumtim5562 3 роки тому

      @@NTFAQGuy Yes, sorry I should have said using Azure Backup.

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому +1

      @@tilikumtim5562 So if you use ADE then yes there are limits to what backup can do because its encrypted inside. If its disk level (not ADE) then that does not apply.

    • @tilikumtim5562
      @tilikumtim5562 3 роки тому

      @@NTFAQGuy Thanks, appreciate the reply.

  • @robannmateja5000
    @robannmateja5000 3 роки тому

    Very good video! The floppy tale was told with such a straight face, too! Nice t-shirt; do you have any for sale? :)

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому +1

      I don’t remember where I got that shirt. I have a few t shirts in the UA-cam store for channel where all profit goes to cure childhood cancer if any of those are interesting :)

    • @robannmateja5000
      @robannmateja5000 3 роки тому

      @@NTFAQGuy , I was sort of kidding about the shirt, the subject being about the floppy diskette, but I would love to contribute to the childhood cancer cause.. do you have a URL you can share where I can buy a shirt to help? I'm not familiar with the youtube store. Thanks!

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому

      @@robannmateja5000 haha, got you. johns-t-shirts-store.creator-spring.com/ is the little t-shirt store. Any support for the charity would be great. Take care.

    • @robannmateja5000
      @robannmateja5000 3 роки тому

      @@NTFAQGuy , awesome... I just ordered a few!

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому

      @@robannmateja5000 Thank you for supporting cure childhood cancer!

  • @iLeanonsyrup
    @iLeanonsyrup 2 роки тому

    How did you learn azure so we'll?

  • @ammarkheder3071
    @ammarkheder3071 2 роки тому

    Jooohnnn how the hell do you know all this information !!!! :)

  • @bryansanchez9653
    @bryansanchez9653 3 роки тому

    I am too young to understand floopy disks :(

    • @NTFAQGuy
      @NTFAQGuy  3 роки тому +1

      Booooooo show off :)

  • @billfarrell6638
    @billfarrell6638 2 роки тому

    Patreon?

    • @NTFAQGuy
      @NTFAQGuy  2 роки тому +3

      No. This site is just a hobby. Don't want to make any money from it. Why I have all adverts turned off. 🤙

  • @abhaymittal7393
    @abhaymittal7393 2 роки тому

    Great Video John :)