Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Confidential Compute CLI Change Request - VM OS Disk / Disk Encryption Set Create
See original GitHub issueIs your feature request related to a problem? Please describe
No, feature request to add new parameter and add values into existing parameters for following commands to support Confidential VM - Planned GA by end of June CY22:
Feature is to support customers with:
- creating Disk Encryption Set which will support Confidential VM Creation using customer encryption keys.
- creating managed OS Disk for Confidential VM with flexibility to choose between Platform keys and customer-managed keys.
Describe the solution you’d like
Existing Parameter
az disk create
Customer to use az disk create command with parameter –security-type to set Security Type. For confidential VM Additional accepted security type should be ConfidentialVM_DiskEncryptedWithCustomerKey, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey
Post change, following values will be accepted:
| SecurityType |
|---|
| TrustedLaunch |
| ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey |
| ConfidentialVM_DiskEncryptedWithPlatformKey |
| ConfidentialVM_DiskEncryptedWithCustomerKey |
az disk-encryption-set create
Customer to use az disk-encryption-set create command with parameter –encryption-type to set Encryption type. For confidential VM, additional accepted encryption type should be ConfidentialVmEncryptedWithCustomerKey
Post change, following values will be accepted:
| EncryptionType |
|---|
| EncryptionAtRestWithPlatformKey |
| EncryptionAtRestWithCustomerKey |
| EncryptionAtRestWithPlatformAndCustomerKeys |
| ConfidentialVmEncryptedWithCustomerKey |
New Parameter
–secure-vm-disk-encryption-set (az disk create)
New Parameter –secure-vm-disk-encryption-set for command az disk create:
- Allows customer to provide ARM ID for Disk Encryption Set created with ConfidentialVmEncryptedWithCustomerKey encryption type. This will allow customer to use Customer Managed Key (CMK) encryption.
- Mandatory and required only when –security-type is set to ConfidentialVM_DiskEncryptedWithCustomerKey
End to End Usage
Scenario 1 - Managed OS Disk Create
-
Store Disk Encryption Set ID in variable:
diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv) -
Create Virtual Machine Disk with ConfidentialVM_DiskEncryptedWithCustomerKey Security Type
az disk create --name $diskName -g $rgName \ --hyper-v-generation V2 --os-type Windows \ --security-type ConfidentialVM_DiskEncryptedWithCustomerKey \ --secure-vm-disk-encryption-set $diskEncryptionSetId \ --image-reference "MicrosoftWindowsServer:WindowsServer:2019-datacenter-gensecond:latest"
Scenario 2 - Disk Encryption Set Create
-
Create New key vault with premium SKU
KeyVault="myKeyVault" az keyvault create --name $KeyVault --resource-group $rgName --location $region --sku Premium --enable-purge-protection -
Create RSA-HSM Key with key release policy
$KeyName = <name of key> $KeySize = 3072 az keyvault key create --vault-name $KeyVault --name $KeyName --ops wrapKey unwrapkey --kty RSA-HSM --size $KeySize --exportable true --policy "@.\skr-policy.json" -
Query Key-vault key required for Disk Encryption Set
keyUrl=$(az keyvault key show -n $keyName --vault-name $keyVaultName --query [key.kid] -o tsv) -
Create Disk Encryption Set
az disk-encryption-set create -n $diskEncryptionSetName \ -g $rgName -l $location \ --key-url $keyUrl --encryption-type "ConfidentialVmEncryptedWithCustomerKey" -
Assign Access to Disk Encryption Set
desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv) az keyvault set-policy -n $KeyVault \ -g $rgName \ --object-id $desIdentity \ --key-permissions wrapkey unwrapkey get
Describe alternatives you’ve considered
Not Applicable, new product feature request.
Additional context
Related to #22199
Request for Confidential VM - Planned GA by end of June CY22
- Link to CVM Disk RP Swagger Spec
- Link to Compute RP Swagger Spec
- Confidential VM with Customer Managed Keys ARM JSON
- Confidential VM with Platform Managed Keys ARM JSON
- Confidential Compute CLI Change Request - VM / VMSS Create
- Confidential VM GA Request Powershell change on Set-AzDiskSecurityProfile cmdlet
- Confidential VM GA Request Powershell change on Set-AzVmSecurityProfile cmdlet
- Confidential VM GA Request Powershell change on Set-New-AzDiskEncryptionSetConfig cmdlet
Additional Checks
- User provides value for –hyper-v-generation as V2 when –security-type parameter is used. If not, help message to be printed - SecurityType value for parameter --security-type is supported with --hyper-v-generation set to v2., where SecurityType value will be replaced by value passed for parameter
--security-type. - When parameter
--security-typeis used, supported create options for disk are FromImage, Import, ImportSecure, UploadPreparedSecure.Emptyis not supported. - ARM URI of Disk Encryption Set ID provided for new parameter –secure-vm-disk-encryption-set should have encryption type set to ConfidentialVmEncryptedWithCustomerKey.
Contacts
| Role | Contact |
|---|---|
| Main developer contacts (emails + github aliases) | Abhishek Verma (AZURE) Abhishek.Verma@microsoft.com, Anshul Solanki Anshul.Solanki@microsoft.com |
| PM contact (email + github alias) | Ajay Kundnani ajay.kundnani@microsoft.com |
| Other people who should attend a design review (email) | Run Cai run.cai@microsoft.com, Deepak J V J.Deepak@microsoft.com |
Issue Analytics
- State:
- Created a year ago
- Reactions:1
- Comments:17 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
--hyper-v-generationparameter, as it is auto-setting itself to V2 in current release, we can skip the warning log.--hyper-v-generationparameter, if CLI can print warning log, that’ll be good, prompt should be non-interactive.@zhoxing-ms : Below is the current behavior for
--security-typeTrustedLaunch, if we can retain same behavior for new values please:CreateOptionif image reference is not passed, Error (BadRequest) Security Type ‘TrustedLaunch’ is not supported for CreateOption ‘Empty’. Supported create options are FromImage, Import, ImportSecure, UploadPreparedSecure.--hyper-v-generation, the disk is created with--hyper-v-generationset to V2--hyper-v-generationwith value V2, same result as step 3 above.--hyper-v-generationwith value V1, it creates the disk with Hyper-V generation v1, this shouldnt occur but to avoid breaking change, please do not add this check at present, if we can add a help message stating Security Type value for parameter --security-type is supported with --hyper-v-generation V2. (where Security type value can be replaced with value end user passed), and during next breaking change release we can add this check, if that will be ok?