Double encryption on managed disk

You can create a machine catalog with double encryption. Any catalogs created with this feature have all disks server side encrypted with both platform and customer-managed keys. You own and maintain the Azure Key Vault, Encryption Key, and the Disk Encryption Sets (DES).

Double encryption is platform-side encryption (default) and customer-managed encryption (CMEK). Therefore, if you are a high security sensitive customer who is concerned about the risk associated with any encryption algorithm, implementation, or a compromised key, you can opt for this double encryption. Persistent OS and data disks, snapshots, and images are all encrypted at rest with double encryption.

Note:

  • You can create and update a machine catalog with double encryption using the Full Configuration interface and PowerShell commands.
  • You can use non-machine profile-based workflow or machine profile-based workflow for creating or updating a machine catalog with double encryption.
  • If you use non-machine profile-based workflow to create a machine catalog, you can reuse the stored DiskEncryptionSetId.
  • If you use a machine profile, you can use a VM or template spec as a machine profile input.

Limitations

  • Double encryption is not supported for Ultra Disks or Premium SSD v2 disks.
  • Double encryption is not supported on unmanaged disks.
  • If you disable a Disk Encryption Set key associated with a catalog, then the VMs of the catalog are disabled.
  • All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
  • You can only create up to 50 disk encryption sets per region per subscription.
  • You cannot update a machine catalog that already has a DiskEncryptionSetId with a different DiskEncryptionSetId.

Create a machine catalog with double encryption

You can create and update a machine catalog with double encryption using the Full Configuration interface and PowerShell commands.

The detailed steps on how to create a machine catalog with double encryption are:

  1. Create an Azure Key Vault and DES with Platform-managed and customer-managed keys. For information on how to create an Azure Key Vault and a DES, see Use the Azure portal to enable double encryption at rest for managed disks.
  2. To browse available Disk Encryption Sets in your hosting connection:
    1. Open a PowerShell window.
    2. Run the following PowerShell commands:
      1. asnp citrix®*
      2. cd xdhyp:
      3. cd HostingUnits
      4. cd YourHostingUnitName (ex. azure-east)
      5. cd diskencryptionset.folder
      6. dir

    You can use an Id of the DiskEncryptionSet to create or update a catalog using custom properties.

  3. If you want to use machine profile workflow, create a VM or template spec as a machine profile input.
    • If you want to use a VM as a machine profile input:
      1. Create a VM in Azure Portal.
      2. Navigate to Disks>Key management to encrypt the VM directly with any DiskEncryptionSetID.
    • If you want to use a template spec as a machine profile input:
      1. In the template, under properties>storageProfile>osDisk>managedDisk, add diskEncryptionSet parameter and add the id of the double encryption DES.
  4. Create the machine catalog.
    • If using the Full Configuration interface, do one of the following in addition to the steps in Create machine catalogs.
      • If you do not use a machine-profile based workflow, on the Disk Settings page, select Use the following key to encrypt data on each machine. Then, select your double encryption DES from the drop-down list. Continue creating the catalog.
      • If using the machine profile workflow, on the Image page, select a master image (or prepared image) and a machine profile. Make sure that the machine profile has a disk encryption set id in its properties.

      All machines created in the catalog are double encrypted by the key associated with the DES that you selected.

    • If using PowerShell commands, do one of the following:
      • If not using machine profile-based workflow, add the custom property DiskEncryptionSetId in the New-ProvScheme command. For example:

         New-ProvScheme -CleanOnBoot -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         <Property xsi:type="StringProperty" Name="UseManagedDisks" Value="true" />
         <Property xsi:type="StringProperty" Name="StorageAccountType" Value="Premium_LRS" />
         <Property xsi:type="StringProperty" Name="DiskEncryptionSetId" Value="/subscriptions/12345678-xxxx-1234-1234-123456789012/resourceGroups/Sample-RG/providers/Microsoft.Compute/diskEncryptionSets/SampleEncryptionSet" />
         </CustomProperties>'
         -HostingUnitName "Redacted"
         -IdentityPoolName "Redacted"
         -InitialBatchSizeHint 1
         -MasterImageVM "Redacted"
         -NetworkMapping @{"0"="Redacted"}
         -ProvisioningSchemeName "Redacted"
         -ServiceOffering "Redacted"
         <!--NeedCopy-->
        
      • If using machine profile-based workflow, use a machine profile input in the New-ProvScheme command. For example:

         New-ProvScheme -CleanOnBoot
         -HostingUnitName azure-east
         -IdentityPoolName aio-ip
         -InitialBatchSizeHint 1
         -MasterImageVM XDHyp:\HostingUnits\azure-east\image.folder\abc.resourcegroup\fgb-vda-snapshot.snapshot
         -NetworkMapping @{"0"="XDHyp:\HostingUnits\azure-east\virtualprivatecloud.folder\apa-resourceGroup.resourcegroup\apa-resourceGroup-vnet.virtualprivatecloud\default.network"}
         -ProvisioningSchemeName aio-test
         -MachineProfile XDHyp:\HostingUnits\azure-east\machineprofile.folder\abc.resourcegroup\abx-mp.templatespec\1.0.0.templatespecversion
         <!--NeedCopy-->
        

      Finish creating a catalog using the remote PowerShell SDK. For information on how to create a catalog using the Remote PowerShell SDK, see https://developer-docs.citrix.com/projects/citrix-virtual-apps-desktops-sdk/en/latest/creating-a-catalog/. All machines created in the catalog are double encrypted by the key associated with the DES you selected.

Convert an unencrypted catalog to use double encryption

You can update a machine catalog’s encryption type (using custom properties or machine profile) only if the catalog was previously unencrypted.

  • If not using machine profile-based workflow, add the custom property DiskEncryptionSetId in the Set-ProvScheme command. For example:

     Set-ProvScheme -ProvisioningSchemeName "SampleProvSchemeName"
     -CustomProperties '<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Property xsi:type="StringProperty" Name="DiskEncryptionSetId" Value="/subscriptions/12345678-xxxx-1234-1234-123456789012/resourceGroups/Sample-RG/providers/Microsoft.Compute/diskEncryptionSets/SampleEncryptionSet" />
     </CustomProperties>'
     <!--NeedCopy-->
    
  • If using machine profile-based workflow, use a machine profile input in the Set-ProvScheme command. For example:

     Set-ProvScheme -ProvisioningSchemeName mxiao-test -MachineProfile XDHyp:\HostingUnits\azure-east\machineprofile.folder\aelx.resourcegroup\elx-mp.templatespec\1.0.0.templatespecversion
     <!--NeedCopy-->
    

Once successful, all new VMs that you add in your catalog are double encrypted by the key associated with the DES you selected.

Verify the catalog is double encrypted

  • In the Full Configuration interface:

    1. Navigate to Machine Catalogs.
    2. Select the catalog that you want to verify. Click the Template Properties tab located near the bottom of the screen.
    3. Under Azure Details, verify the Disk Encryption Set ID in Disk Encryption Set. If the catalog’s DES Id is blank, the catalog is not encrypted.
    4. In the Azure Portal, verify that the encryption type of the DES associated with the DES Id is platform-managed and customer-managed keys.
  • Using the PowerShell command:

    1. Open the PowerShell window.
    2. Run asnp citrix* to load the Citrix-specific PowerShell modules.
    3. Use Get-ProvScheme to get the information of your machine catalog. For example:

      Get-ProvScheme -ProvisioningSchemeName "SampleProvSchemeName"
      <!--NeedCopy-->
      
    4. Retrieve the DES Id custom property of the machine catalog. For example:

      <Property xsi:type="StringProperty" Name="DiskEncryptionSetId" Value="/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/Sample-RG/providers/Microsoft.Compute/diskEncryptionSets/SampleEncryptionSet" />
      <!--NeedCopy-->
      
    5. In the Azure Portal, verify that the encryption type of the DES associated with the DES Id is platform-managed and customer-managed keys.

Where to go next

More information

Double encryption on managed disk