Azure server-side encryption
Citrix DaaS supports customer-managed encryption keys for Azure managed disks through Azure Key Vault. With this support you can manage your organizational and compliance requirements by encrypting the managed disks of your machine catalog using your own encryption key. For more information, see Server-side encryption of Azure Disk Storage.
When using this feature for managed disks:
-
To change the key that the disk is encrypted with, you change the current key in the
DiskEncryptionSet
. All resources associated with thatDiskEncryptionSet
change to be encrypted with the new key. -
When you disable or delete your key, any VMs with disks using that key automatically shut down. After shutting down, the VMs are not usable unless the key is enabled again or you assign a new key. Any catalog using the key cannot be powered on, and you cannot add VMs to it.
Important considerations when using customer-managed encryption keys
Consider the following when using this feature:
- All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must reside in the same subscription and region.
- Once you have enabled the customer-managed encryption key that you cannot disable it later. If you want to disable or remove the customer-managed encryption key, copy all the data to a different managed disk that is not using the customer-managed encryption key.
- Disks created from encrypted custom images using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys. These disks must be in the same subscription.
- Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
- Disks, snapshots, and images encrypted with customer-managed keys cannot move to another resource group and subscription.
-
Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.
- Refer to the Microsoft site for limitations on disk encryption sets per region.
Note:
See Quickstart: Create a Key Vault using the Azure portal for information on configuring Azure server-side encryption.
Azure Customer-managed encryption key
When creating a machine catalog, you can choose whether to encrypt data on the machines provisioned in the catalog. Server-side encryption with a customer-managed encryption key lets you manage encryption at a managed disk level and protect data on the machines in the catalog. A Disk Encryption Set (DES) represents a customer-managed key. To use this feature, you must first create your DES in Azure. A DES is in the following format:
/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/Sample-RG/providers/Microsoft.Compute/diskEncryptionSets/SampleEncryptionSet
Select a DES from the list. The DES you select must be in the same subscription and region as your resources. If your image is encrypted with a DES, use the same DES when creating the machine catalog. You cannot change the DES after you create the catalog.
If you create a catalog with an encryption key and later disable the corresponding DES in Azure, you can no longer power on the machines in the catalog or add machines to it.
See Create a machine catalog with customer-managed key.
Create a machine catalog with customer-managed encryption key
If you want to create a machine catalog using PowerShell commands, where the encryption key is a customer-managed key, do the following:
- Open a PowerShell window.
- Run
asnp citrix®*
to load the Citrix-specific PowerShell modules. - Enter
cd xdhyp:/
. - Enter
cd .\HostingUnits\(your hosting unit)
. - Enter cd diskencryptionset.folder.
- Enter dir to get the list of the Disk Encryption Sets.
- Copy the Id of a Disk Encryption Set.
-
Create a custom property string to include the Id of the Disk Encryption Set. For example:
$customProperties = "<CustomProperties xmlns=`"http://schemas.citrix.com/2014/xd/machinecreation`" xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`"> <Property xsi:type=`"StringProperty`" Name=`"persistWBC`" Value=`"False`" /> <Property xsi:type=`"StringProperty`" Name=`"PersistOsDisk`" Value=`"false`" /> <Property xsi:type=`"StringProperty`" Name=`"UseManagedDisks`" Value=`"true`" /> <Property xsi:type=`"StringProperty`" Name=`"DiskEncryptionSetId`" Value=`"/subscriptions/0xxx4xxx-xxb-4bxx-xxxx-xxxxxxxx/resourceGroups/abc/providers/Microsoft.Compute/diskEncryptionSets/abc-des`"/> </CustomProperties> <!--NeedCopy-->
-
Create an identity pool if not already created. For example:
New-AcctIdentityPool -IdentityPoolName idPool -NamingScheme ms## -Domain def.local -NamingSchemeType Numeric <!--NeedCopy-->
-
Run the New-ProvScheme command: For example:
New-ProvScheme -CleanOnBoot -HostingUnitName "name" -IdentityPoolName "name" -InitialBatchSizeHint 1 -MasterImageVM "XDHyp:\HostingUnits\azure-res2\image.folder\def.resourcegroup\def.snapshot" -NetworkMapping @{"0"="XDHyp:\HostingUnits\azure-res2\\virtualprivatecloud.folder\def.resourcegroup\def-vnet.virtualprivatecloud\subnet1.network"} -ProvisioningSchemeName "name" -ServiceOffering "XDHyp:\HostingUnits\azure-res2\serviceoffering.folder\Standard_DS2_v2.serviceoffering" -MachineProfile "XDHyp:\HostingUnits\<adnet>\machineprofile.folder\<def.resourcegroup>\<machine profile vm.vm>" -CustomProperties $customProperties <!--NeedCopy-->
- Finish creating the machine catalog.