Confidential Compute CLI Change Request - VM OS Disk / Disk Encryption Set Create #22200
Description
Is your feature request related to a problem? Please describe
No, feature request to add new parameter and add values into existing parameters for following commands to support Confidential VM - Planned GA by end of June CY22:
Feature is to support customers with:
- creating Disk Encryption Set which will support Confidential VM Creation using customer encryption keys.
- creating managed OS Disk for Confidential VM with flexibility to choose between Platform keys and customer-managed keys.
Describe the solution you'd like
Existing Parameter
az disk create
Customer to use az disk create command with parameter --security-type to set Security Type. For confidential VM Additional accepted security type should be ConfidentialVM_DiskEncryptedWithCustomerKey, ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey
Post change, following values will be accepted:
| SecurityType |
|---|
| TrustedLaunch |
| ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey |
| ConfidentialVM_DiskEncryptedWithPlatformKey |
| ConfidentialVM_DiskEncryptedWithCustomerKey |
az disk-encryption-set create
Customer to use az disk-encryption-set create command with parameter --encryption-type to set Encryption type. For confidential VM, additional accepted encryption type should be ConfidentialVmEncryptedWithCustomerKey
Post change, following values will be accepted:
| EncryptionType |
|---|
| EncryptionAtRestWithPlatformKey |
| EncryptionAtRestWithCustomerKey |
| EncryptionAtRestWithPlatformAndCustomerKeys |
| ConfidentialVmEncryptedWithCustomerKey |
New Parameter
--secure-vm-disk-encryption-set (az disk create)
New Parameter --secure-vm-disk-encryption-set for command az disk create:
- Allows customer to provide ARM ID for Disk Encryption Set created with ConfidentialVmEncryptedWithCustomerKey encryption type. This will allow customer to use Customer Managed Key (CMK) encryption.
- Mandatory and required only when --security-type is set to ConfidentialVM_DiskEncryptedWithCustomerKey
End to End Usage
Scenario 1 - Managed OS Disk Create
-
Store Disk Encryption Set ID in variable:
diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv) -
Create Virtual Machine Disk with ConfidentialVM_DiskEncryptedWithCustomerKey Security Type
az disk create --name $diskName -g $rgName \ --hyper-v-generation V2 --os-type Windows \ --security-type ConfidentialVM_DiskEncryptedWithCustomerKey \ --secure-vm-disk-encryption-set $diskEncryptionSetId \ --image-reference "MicrosoftWindowsServer:WindowsServer:2019-datacenter-gensecond:latest"
Scenario 2 - Disk Encryption Set Create
-
Create New key vault with premium SKU
KeyVault="myKeyVault" az keyvault create --name $KeyVault --resource-group $rgName --location $region --sku Premium --enable-purge-protection -
Create RSA-HSM Key with key release policy
$KeyName = <name of key> $KeySize = 3072 az keyvault key create --vault-name $KeyVault --name $KeyName --ops wrapKey unwrapkey --kty RSA-HSM --size $KeySize --exportable true --policy "@.\skr-policy.json" -
Query Key-vault key required for Disk Encryption Set
keyUrl=$(az keyvault key show -n $keyName --vault-name $keyVaultName --query [key.kid] -o tsv) -
Create Disk Encryption Set
az disk-encryption-set create -n $diskEncryptionSetName \ -g $rgName -l $location \ --key-url $keyUrl --encryption-type "ConfidentialVmEncryptedWithCustomerKey" -
Assign Access to Disk Encryption Set
desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv) az keyvault set-policy -n $KeyVault \ -g $rgName \ --object-id $desIdentity \ --key-permissions wrapkey unwrapkey get
Describe alternatives you've considered
Not Applicable, new product feature request.
Additional context
Related to #22199
Request for Confidential VM - Planned GA by end of June CY22
- Link to CVM Disk RP Swagger Spec
- Link to Compute RP Swagger Spec
- Confidential VM with Customer Managed Keys ARM JSON
- Confidential VM with Platform Managed Keys ARM JSON
- Confidential Compute CLI Change Request - VM / VMSS Create
- Confidential VM GA Request Powershell change on Set-AzDiskSecurityProfile cmdlet
- Confidential VM GA Request Powershell change on Set-AzVmSecurityProfile cmdlet
- Confidential VM GA Request Powershell change on Set-New-AzDiskEncryptionSetConfig cmdlet
Additional Checks
- User provides value for --hyper-v-generation as V2 when --security-type parameter is used. If not, help message to be printed - SecurityType value for parameter --security-type is supported with --hyper-v-generation set to v2., where SecurityType value will be replaced by value passed for parameter
--security-type. - When parameter
--security-typeis used, supported create options for disk are FromImage, Import, ImportSecure, UploadPreparedSecure.Emptyis not supported. - ARM URI of Disk Encryption Set ID provided for new parameter --secure-vm-disk-encryption-set should have encryption type set to ConfidentialVmEncryptedWithCustomerKey.
Contacts
| Role | Contact |
|---|---|
| Main developer contacts (emails + github aliases) | Abhishek Verma (AZURE) Abhishek.Verma@microsoft.com, Anshul Solanki Anshul.Solanki@microsoft.com |
| PM contact (email + github alias) | Ajay Kundnani ajay.kundnani@microsoft.com |
| Other people who should attend a design review (email) | Run Cai run.cai@microsoft.com, Deepak J V J.Deepak@microsoft.com |