Microsoft Azure Encyption

Microsoft Azure Encyption

by Albert Ramsbottom -
Number of replies: 4

smile

Using Ubuntu 14.04 with the usual LAMP stack on Azure for testing purposes and the Azure Security Center is asking us if we want to encrypt our virtual machines

My thoughts are why not as one never have enough security, I mean our courses have content that would definitely be of interest to GCHQ and the NSA tongueout

Anyway on a more serious note has anyone encrypted their VMs using DM-Crypt? or are there any people using Azure VMs?


Here is the actual message:

""Azure Disk Encryption is a new capability that lets you encrypt your Windows and Linux Azure Virtual Machine disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage."

Cheers



Average of ratings: -
In reply to Albert Ramsbottom

Re: Microsoft Azure Encyption

by Ken Task -
Picture of Particularly helpful Moodlers

Well, I don't mind sharing my 2 cents ...

As long as it's for testing purposes ... go for it.   But ... read this:

https://www.linux.com/learn/how-encrypt-linux-file-system-dm-crypt

With Yin there is Yang!   With Moodle (and other parts of a linux file system) would think this does nothing but add complexity to the system - complex enough ... Windows Azure virt, Linux guest OS, with Moodle code below all of that and when/if there is an issue with the app, what's the problem?  Azure, Linux guest OS, or the Moodle code?

What to encrypt?   The data?  The code?

So does your Linux Guest OS have partitions? ... does it have a partition (a large one) for data? or is it all one file system?

Anyway, try it out ... be the 'pioneer' and let us know how it goes! ;)

'spirit of sharing', Ken



Average of ratings: -
In reply to Ken Task

Re: Microsoft Azure Encyption

by Albert Ramsbottom -

We could try it on our test instance, but I think it is too much to beer on our live instances

The DB will be a weak point anyway

I suppose I would have to do some Jmeter testing and then encrypt to see if there are any performance issues to start with

that's just more work for me so I think I can safely say that in production this would be a no-no

Cheers Ken

Average of ratings: -
In reply to Albert Ramsbottom

Re: Microsoft Azure Encyption

by James McLean -

Waste of time. 

The data is only be encrypted at rest, when the VM is shut down. Once it's running and unlocked (presumably via a password or key) then it's just as vulnerable.

When running, this adds next to no actual security - and the cynic in me forces me to have no trust in BitLocker anyway as it's not open source. GCHQ/NSA would likely have ways in with or without Microsoft's knowledge. That said I've heard MSFT have protections in place to prevent them having to give data up to various governments; but again it's hard to trust explicitly, and applies weather your VMs are encrypted or not.

I think you're better off spending the time and effort making sure packages are kept up to date and all your communications to and from the VMs are encrypted (SSH/HTTPS).

Average of ratings: -
In reply to James McLean

Re: Microsoft Azure Encyption

by Albert Ramsbottom -

Yes agreed

I was thinking about this last night, my phone is encrypted but only when its turned off and on, then I have to enter the key and it then encrypts the phone, so once the phone is on I suppose its just as vulnerable as any other phone??

So when it concerns a server it is always on and unlocked, so in that context even the disk isnt safe.

Cheers






Average of ratings: -