Pradeep
Reputation: 5540
How to enable the server-side encryption with customer-managed keys stored in Managed HSM for managed disks?
I have created and activated Managed HSM using the following terraform script:
main.tf
data "azurerm_client_config" "current" {}
## Create a Resource Group
resource "azurerm_resource_group" "resource_group" {
name = var.resource_group_name
location = var.location
}
## Create a Key Vault Managed Hardware Security Module
resource "azurerm_key_vault_managed_hardware_security_module" "kv_hsm" {
name = var.kv_hsm_name
resource_group_name = azurerm_resource_group.resource_group.name
location = azurerm_resource_group.resource_group.location
sku_name = var.sku_name
purge_protection_enabled = true
soft_delete_retention_days = 90
tenant_id = data.azurerm_client_config.current.tenant_id
admin_object_ids = [data.azurerm_client_config.current.object_id]
tags = var.tags
depends_on = [
azurerm_resource_group.resource_group
]
}
## Use openssl to generate 3 self signed certificate
resource "null_resource" "OPENSSLCERT" {
count = 3
provisioner "local-exec" {
command = <<EOT
cd "C:\Program Files\Git\usr\bin"
./openssl.exe req -newkey rsa:2048 -nodes -keyout ${var.KeyName[count.index]} -x509 -days 365 -out ${var.CertName[count.index]} -subj "/C=IN/ST=XX/L=XX/O=abc ltd/OU=Stack/CN=abc.com"
EOT
interpreter = [
"PowerShell", "-Command"
]
}
}
## Use the az keyvault security-domain download command to download the security domain and activate your managed HSM.
resource "null_resource" "securityDomain" {
provisioner "local-exec" {
command = <<EOT
az keyvault security-domain download --hsm-name ${azurerm_key_vault_managed_hardware_security_module.kv_hsm.name} --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file ${azurerm_key_vault_managed_hardware_security_module.kv_hsm.name}-SD.json
EOT
interpreter = [
"PowerShell", "-Command"
]
}
depends_on = [
null_resource.OPENSSLCERT,
azurerm_key_vault_managed_hardware_security_module.kv_hsm
]
}
I have followed this documentation to enable the encryption using customer-managed keys stored in Managed HSM for managed disks. But while creating the Disk Encryption Set, I’m not able to see the Managed HSM created recently.
How to enable the server-side encryption with customer-managed keys stored in Managed HSM for managed disks using CLI/PowerShell/Portal?
Upvotes: 0
Views: 285
Answers (1)
Ansuman Bal
Reputation: 11431
As mentioned in comments , you cannot find the HSM Key Vault in Portal , so you will have to use Azure Keyvault Powershell Module or Azure Keyvault CLI Module .
As a solution , You can add the below in your Terraform script to create a Disk Encryption Set with Managed HSM:
resource "null_resource" "diskencryptionset" {
provisioner "local-exec" {
command = <<EOT
$rgName='${azurerm_resource_group.example.name}'
$location='${azurerm_resource_group.example.location}'
$keyVaultName='${azurerm_key_vault_managed_hardware_security_module.example.name}'
$keyName='diskencrytptionkey'
$diskEncryptionSetName='ansumandiskset'
az keyvault role assignment create --hsm-name $KeyvaultName --role "Managed HSM Crypto User" --assignee ${data.azurerm_client_config.current.object_id} --scope /
az keyvault key create --hsm-name $keyVaultName --name $keyName --protection software
$keyVaultKeyUrl=$(az keyvault key show --hsm-name $keyVaultName --name $keyName --query [key.kid] -o tsv)
az disk-encryption-set create -n $diskEncryptionSetName -l $location -g $rgName --source-vault $keyVaultName --key-url $keyVaultKeyUrl --enable-auto-key-rotation false
$desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv)
az keyvault role assignment create --hsm-name $keyVaultName --role "Managed HSM Crypto Service Encryption User" --assignee $desIdentity --scope /keys
EOT
interpreter = [
"PowerShell","-Command"
]
}
depends_on = [
null_resource.securityDomain
]
}
Output:
Upvotes: 2
Related Questions
- How to activate Managed HSM and configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM using Terraform
- Terraform create a azure key vault
- Terraform Azure provider - VM encryption at rest
- key Vault access policies for encrypted vm azure backup - Terraform
- Secure management plane's key vault in Terraform
- Azure Disk Encryption - via Terraform with Key vault - VmExtensionProvisioningError
- How to add keyvault access policies after importing keyvault into terraform
- Azure Managed Storage account keys
- How can we achieve VM Disk Encryption of unmanaged disk through Azure power shell
- Create Storage Service Encryption ARM template with Customer managed key