Merge pull request #32330 from lbarbeevargas/BZ-1890452-BYOK-disk-encryption-DES

lbarbeevargas · web-flow · commit bc63ae12f7da · 2021-06-01T16:42:07.000-04:00
BZ-1890452 Azure BYOL disk encryption through DES
diff --git a/machine_management/creating_machinesets/creating-machineset-azure.adoc b/machine_management/creating_machinesets/creating-machineset-azure.adoc
@@ -16,3 +16,5 @@ include::modules/machineset-creating.adoc[leveloffset=+1]
 include::modules/machineset-non-guaranteed-instance.adoc[leveloffset=+1]
 
 include::modules/machineset-creating-non-guaranteed-instances.adoc[leveloffset=+1]
+
+include::modules/machineset-customer-managed-encryption-azure.adoc[leveloffset=+1]
diff --git a/modules/machineset-customer-managed-encryption-azure.adoc b/modules/machineset-customer-managed-encryption-azure.adoc
@@ -0,0 +1,39 @@
+// Module included in the following assemblies:
+//
+// * machine_management/creating_machinesets/creating-machineset-gcp.adoc
+
+[id="machineset-enabling-customer-managed-encryption-azure_{context}"]
+= Enabling customer-managed encryption keys for a machine set
+
+You can supply an encryption key to Azure to encrypt data on managed disks at rest. You can enable server-side encryption with customer-managed keys by using the Machine API.
+
+An Azure Key Vault, a disk encryption set, and an encryption key are required to use a customer-managed key. The disk encryption set must preside in a resource group where the Cloud Credential Operator (CCO) has granted permissions. If not, an additional reader role is required to be granted on the disk encryption set.
+
+.Prerequisites
+
+* link:https://docs.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys#create-an-azure-key-vault-instance[Create an Azure Key Vault instance].
+* link:https://docs.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys#create-an-instance-of-a-diskencryptionset[Create an instance of a disk encryption set].
+* link:https://docs.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys#grant-the-diskencryptionset-access-to-key-vault[Grant the disk encryption set access to key vault].
+
+.Procedure
+
+. Configure the disk encryption set under the `providerSpec` field in your machine set YAML file. For example:
++
+[source,yaml]
+----
+...
+providerSpec:
+  value:
+    ...
+    osDisk:
+      diskSizeGB: 128
+      managedDisk:
+        diskEncryptionSet:
+          id: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Compute/diskEncryptionSets/<disk_encryption_set_name>
+        storageAccountType: Premium_LRS
+...
+----
+
+.Additional resources
+
+* You can learn more about https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption#customer-managed-keys[customer-managed keys] in the Azure documentation.
