When a managed disk is at rest, Azure encrypts all of the data. Default encryption for data uses keys managed by Microsoft. You can provide customer-managed keys to encrypt data disks and the operating system of your AKS clusters while they are at rest, giving you greater control over encryption keys.
The prerequisites are
- You must enable soft delete and purge protection for Azure Key Vault when using Key Vault to encrypt managed disks.
- Azure CLI version 2.11.1 or later is required.
- The Kubernetes version 1.24 and higher support disk encryption as well as customer-managed keys.
- If you choose to rotate (change) your keys periodically, see Customer-managed keys and encryption of Azure managed disk for more information.
There are limitations
- In AKS clusters, the encryption of an OS disk can only be enabled with customer-managed keys.
- Virtual nodes are not supported.
- When encrypting an ephemeral OS disk-enabled node pool with customer-managed keys, if you want to rotate the key in Azure Key Vault, you need to:
- Scale down the node pool count to 0
- Rotate the key
- Scale up the node pool to the original count.
- An Azure Key Vault instance can be created
Use an Azure Key Vault instance to store your keys. You can optionally use the Azure portal to Configure customer-managed keys with Azure Key Vault
Create a new resource group, then create a new Key Vault instance and enable soft delete and purge protection. Ensure you use the same region and resource group names for each command.
# Optionally retrieve Azure region short names for use on upcoming commands
az account list-locations
# Create new resource group in a supported Azure region
az group create -l myAzureRegionName -n myResourceGroup
# Create an Azure Key Vault resource in a supported Azure region
az keyvault create -n myKeyVaultName -g myResourceGroup -l myAzureRegionName --enable-purge-protection true
2. An instance of a DiskEncryptionSet can be created
Replace myKeyVaultName with the name of your key vault. You also need a key stored in Azure Key Vault to complete the following steps. Either store your existing Key in the Key Vault you created on the previous steps, or generate a new key and replace myKeyName with the name of your key.
# Retrieve the Key Vault Id and store it in a variable
keyVaultId=$(az keyvault show --name myKeyVaultName --query "[id]" -o tsv)
# Retrieve the Key Vault key URL and store it in a variable
keyVaultKeyUrl=$(az keyvault key show --vault-name myKeyVaultName --name myKeyName --query "[key.kid]" -o tsv)
# Create a DiskEncryptionSet
az disk-encryption-set create -n myDiskEncryptionSetName -l myAzureRegionName -g myResourceGroup --source-vault $keyVaultId --key-url $keyVaultKeyUrl
3. Create a new AKS cluster and encrypt the OS disk
Either create a new resource group, or select an existing resource group hosting other AKS clusters, then use your key to encrypt the either using network-attached OS disks or ephemeral OS disk. By default, a cluster uses ephemeral OS disk when possible in conjunction with VM size and OS disk size.
Run the following command to retrieve the DiskEncryptionSet value and set a variable:
diskEncryptionSetId=$(az disk-encryption-set show -n mydiskEncryptionSetName -g myResourceGroup --query "[id]" -o tsv)
You can create a new resource group for the cluster by running the following command:
az group create -n myResourceGroup -l myAzureRegionName
To create a regular cluster using network-attached OS disks encrypted with your key, you can do so by specifying the --node-osdisk-type=Managed argument.
az aks create -n myAKSCluster -g myResourceGroup --node-osdisk-diskencryptionset-id $diskEncryptionSetId --generate-ssh-keys --node-osdisk-type Managed
To create a cluster with ephemeral OS disk encrypted with your key, you can do so by specifying the --node-osdisk-type=Ephemeral argument. You also need to specify the argument --node-vm-size because the default vm size is too small and doesn't support ephemeral OS disk.
az aks create -n myAKSCluster -g myResourceGroup --node-osdisk-diskencryptionset-id $diskEncryptionSetId --generate-ssh-keys --node-osdisk-type Ephemeral --node-vm-size Standard_DS3_v2
When new node pools are added to the cluster, the customer-managed key provided during the create process is used to encrypt the OS disk. The following example shows how to deploy a new node pool with an ephemeral OS disk.
az aks nodepool add --cluster-name $CLUSTER_NAME -g $RG_NAME --name $NODEPOOL_NAME --node-osdisk-type Ephemeral
4. Encrypt your AKS cluster data disk
Encrypting data disks with the same disk encryption set is the default if you have already specified a disk encryption set during cluster creation. This means that you can skip this step. Nevertheless, you can do the following actions to encrypt data drives using an alternative disk encryption set.
Run the following commands to assign the Contributor role for the diskencryptionset to the AKS cluster identity:
aksIdentity=$(az aks show -g $RG_NAME -n $CLUSTER_NAME --query "identity.principalId")
az role assignment create --role "Contributor" --assignee $aksIdentity --scope $diskEncryptionSetId
Create a file called byok-azure-disk.yaml that contains the following information. Replace myAzureSubscriptionId, myResourceGroup, and myDiskEncrptionSetName with your values, and apply the yaml. Make sure to use the resource group where your DiskEncryptionSet is deployed.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: byok
provisioner: disk.csi.azure.com # replace with "kubernetes.io/azure-disk" if aks version is less than 1.21
parameters:
skuname: StandardSSD_LRS
kind: managed
diskEncryptionSetID: "/subscriptions/{myAzureSubscriptionId}/resourceGroups/{myResourceGroup}/providers/Microsoft.Compute/diskEncryptionSets/{myDiskEncryptionSetName}"
Next, to upgrade your AKS cluster, execute the following commands:
# Get credentials
az aks get-credentials --name myAksCluster --resource-group myResourceGroup --output table
# Update cluster
kubectl apply -f byok-azure-disk.yaml
Refer BYOK with Azure managed disks in AKS