Enabling user-managed encryption for Azure

In OKD version 4.12, you can install a cluster with a user-managed encryption key in Azure. To enable this feature, you can prepare an Azure DiskEncryptionSet before installation, modify the install-config.yaml file, and then perform post-installation steps.

Preparing an Azure Disk Encryption Set

The OKD installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer.

Procedure

  1. Set the following environment variables for the Azure resource group by running the following command:

    1. $ export RESOURCEGROUP="<resource_group>" \(1)
    2. LOCATION="<location>" (2)
    1Specifies the name of the Azure resource group where you will create the Disk Encryption Set and encryption key. To avoid losing access to your keys after destroying the cluster, you should create the Disk Encryption Set in a different resource group than the resource group where you install the cluster.
    2Specifies the Azure location where you will create the resource group.
  2. Set the following environment variables for the Azure Key Vault and Disk Encryption Set by running the following command:

    1. $ export KEYVAULT_NAME="<keyvault_name>" \(1)
    2. KEYVAULT_KEY_NAME="<keyvault_key_name>" \(2)
    3. DISK_ENCRYPTION_SET_NAME="<disk_encryption_set_name>" (3)
    1Specifies the name of the Azure Key Vault you will create.
    2Specifies the name of the encryption key you will create.
    3Specifies the name of the disk encryption set you will create.
  3. Set the environment variable for the ID of your Azure Service Principal by running the following command:

    1. $ export CLUSTER_SP_ID="<service_principal_id>" (1)
    1Specifies the ID of the service principal you will use for this installation.
  4. Enable host-level encryption in Azure by running the following commands:

    1. $ az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
    1. $ az feature show --namespace Microsoft.Compute --name EncryptionAtHost
    1. $ az provider register -n Microsoft.Compute
  5. Create an Azure Resource Group to hold the disk encryption set and associated resources by running the following command:

    1. $ az group create --name $RESOURCEGROUP --location $LOCATION
  6. Create an Azure key vault by running the following command:

    1. $ az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION \
    2. --enable-purge-protection true --enable-soft-delete true
  7. Create an encryption key in the key vault by running the following command:

    1. $ az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME \
    2. --protection software
  8. Capture the ID of the key vault by running the following command:

    1. $ KEYVAULT_ID=$(az keyvault show --name $KEYVAULT_NAME --query "[id]" -o tsv)
  9. Capture the key URL in the key vault by running the following command:

    1. $ KEYVAULT_KEY_URL=$(az keyvault key show --vault-name $KEYVAULT_NAME --name \
    2. $KEYVAULT_KEY_NAME --query "[key.kid]" -o tsv)
  10. Create a disk encryption set by running the following command:

    1. $ az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \
    2. $RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URL
  11. Grant the DiskEncryptionSet resource access to the key vault by running the following commands:

    1. $ DES_IDENTITY=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
    2. $RESOURCEGROUP --query "[identity.principalId]" -o tsv)
    1. $ az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \
    2. $DES_IDENTITY --key-permissions wrapkey unwrapkey get
  12. Grant the Azure Service Principal permission to read the DiskEncryptionSet by running the following commands:

    1. $ DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
    2. $RESOURCEGROUP --query "[id]" -o tsv)
    1. $ az role assignment create --assignee $CLUSTER_SP_ID --role "<reader_role>" \(1)
    2. --scope $DES_RESOURCE_ID -o jsonc
    1Specifies an Azure role with read permissions to the disk encryption set. You can use the Owner role or a custom role with the necessary permissions.

Next steps