Disk Encryption in Azure VMs

People were asking for disk encryption in Azure VMs for quite a while now. With the announcements made at TechEd 2014 in Houston it’s finally here. Instead of re-inventing the wheel, Microsoft is relying on established solutions in the market and initially provides two encryption options for Azure VMs:

This post will walk you through the steps to enable Trend Micro SecureCloud in your Azure VMs in order to encrypt your drives.

About SecureCloud

SecureCloud provides data protection by encrypting complete disks using the AES-256 cipher. Encryption is managed by a SecureCloud agent that has to be installed into the VM. The agent injects itself into the Guest OS stack below the file system driver, which means the process of encrypting/decrypting data is completely transparent to both the OS and applications on top of it.

SecureCloud

Now, the most important requirement of many people using the cloud and worrying about their data is keeping encryption keys outside the cloud that’s hosting their data. That means, in case the cloud provider gets compromised an attacker might get hold of the data but not the keys to decrypt it, because they are stored in a completely different place.

SecureCloud provides two options for customers: either they can host the SecureCloud key management solution on their premises or they can use a SaaS solution from Trend Micro. The latter is the one we are going to use in our scenario. You can register for a free trial of the SecureCloud Management Console under this link. After having completed the signup process you can log into the Web Console which looks as follows:

WebConsole

Protecting a VM

Now, let’s see how to enable SecureCloud inside an Azure VM. In order to do that, create a regular Windows VM in the Azure management portal. Once that’s provisioned, attach an empty VHD to the VM. RDP into the machine, open Disk Management, initialize the new data disk and create a new volume z:

Data Disk

Create a new directory z:\SecureCloud. Download the template for the SecureCloud agent configuration file from here and save it to the directory above as autoconfig.ini. The configuration file should look like this:

[Agent]
KMS_URL=https://ms.securecloud.com/
Account_ID=your_account_ID
CSP=Native
Policy=Default Policy
AUTO_PROVISION=no

The KMS_URL is the address of the SecureCloud Management Console, which is acting as a keystore for the encryption keys. Unless an on-premises Management Console is used, this should remain as shown above.

The Account_ID is the identity associated with your account on the SecureCloud Management Console. It can be found in the Administration section under User Management.

User Management

CSP should be left as Native. For now leave the Policy to default. AUTO_PROVISION must be set to no. This setting tells the SecureCloud agent to not automatically encrypt all drives in the VM.

Now, inside the VM go ahead and download the unattended setup of the SecureCloud agent version 3.6.0 (released on 12/17/2013) from here. You can also check on the Trend Micro Download Center for newer versions. Install the agent from the executable. Note that there’s no UI for the setup and your VM will automatically get restarted after installation has finished.

RDP back into the machine and double-check that the software got installed into C:\Program Files (x86)\Trend Micro\SecureCloud\Agent. Open a command prompt in this directory and execute the following statement:

scprov.exe conf -c z:\SecureCloud\autoconfig.ini -x your_passphrase

This command is going to register your VM in your SecureCloud Management System, specified in the autoconfig.ini file. your_passphrase is the passphrase for the SecureCloud account to which the virtual machine will be registered. It can be found in the SecureCloud Management Console in the Administration section under User Management (just below the value for the Account ID, see image above). The output of the statement should look like this:

scprov

If you go to your account in the SecureCloud Web Console and open the Inventory section, you should see the VM:

Inventory

Navigating to the VM by clicking it’s name will take you to the following screen:

Computer

Here you can see details about your machine, including it’s disks. Now, let’s encrypt the disk we attached before, which is shown here as the z: drive. In order to do that, select harddisk2 and click the Encrypt button. In the popup window select Preserve in the Existing Data drop down and click Encrypt.

Preserve

The Computer dialog will show that an encryption process is currently pending.

Encryption Pending

After a while (depending on size & content of your disk) the status of the disk will change to Encrypted. And voilà, now all data on drive z: is protected, with the encryption keys stored outside of Azure in the Trend Micro SaaS solution.

SecureCloud Policies

In SecureCloud each VM gets a policy assignment, defining how encryption key requests coming from the agent should be responded to. A policy contains a set of rules and actions representing security practices and network configuration. For example, you could restrict approval of key requests for a VM to a dedicated IP address or check for a specific OS version.

By default a new VM gets assigned to the standard policy Default Policy as shown above. This policy does not contain any rules or actions, which means that key requests have to be approved manually in the Secure Cloud console. In order to achieve automatic approval, let’s create a new policy and assign it to our VM. Go to the Policies section in the console and click the Add Policy button.

Policies

Specify a policy name in step 1 of the wizard. In step 2 configure a Request Source IP Address (IPv4) rule for the public VIP of your cloud service (make sure not to pick the internal IP address of the VM!):

Policy 2

Leave defaults in step 3 (i.e. configuring auto-approval) and select your VM in step 4. After finalizing the wizard you will have created a new policy and assigned it to your VM with it’s current IP address.

Now, restart the VM and check the Active Keys section in the SecureCloud console after the machine has come up. You should see an entry for the key with key status Delivered and integrity Good.

ActiveKeys

Logging

The Secure Cloud console provides some logging that’s quite useful in order to see what’s going on. Open the Logs – Query section and execute a query using the key action events log type.

Log Query

This will open a window showing information about the automatic key approval:

Log

Final Note

At the time of this writing (shortly after the TechEd conference), Trend Micro alluded to the fact that encryption of the OS disk is currently limited. It will work as long as you don’t reboot the VM, which of course is a showstopper for any serious workload. They claimed it will be fixed ‘a couple of weeks’ after the conference. Anyway, encrypting data disks is working perfectly fine, though.

Also, the agent is not build on top of the extension model in Azure, which is the standard way of plugging functionality into VMs. According to Trend Micro, this will change in the near future, too.