• 2 min read

Azure Virtual Machine Disk Encryption using CloudLink

It has been only two months since my TechEd session on Azure Security, where we announced several new partner security solutions in Azure Virtual Machines.  As part of this announcement, we…

It has been only two months since my TechEd session on Azure Security, where we announced several new partner security solutions in Azure Virtual Machines.  As part of this announcement, we highlighted and showed a demo of CloudLink SecureVM from AFORE.  Since TechEd, the company has changed its name from AFORE to CloudLink to reflect its singular focus on cloud security.  Additionally, CloudLink has also released the production-ready version of its SecureVM product that is now available for deployment on Azure!

As many of you know, security and control is and important topic when deciding to run a workload in public IaaS. Who has the encryption keys? How can one verify if data is really encrypted?  How is the data destroyed after use?

Security-conscious IT admins are well familiar with BitLocker which keeps physical machines protected by encrypting the entire disk drive.  Instead of adding a proprietary cryptographic package to an OS, CloudLink leverages what is already there, relying on the support framework and update cycle of the OS rather than introducing its own.  For Windows operating systems, SecureVM fully leverages BitLocker. For those who run Linux workloads in Azure, SecureVM also supports Linux native encryption packages.

What makes CloudLink SecureVM particularly interesting is the fully automated boot from the encrypted volume in the cloud. Customers can configure their policy to pre-authorize some or all of their VMs to boot without any operator intervention. Unless of course CloudLink detects that something is fishy– like when a duplicate copy of a VM that is already marked as running is trying to obtain the key to boot again.

When it comes to key management, CloudLink is following the same principle of avoiding burdening customers with extra software.  Instead of using their own, CloudLink integrates with third-party key managers. CloudLink Center is a virtual appliance that customers use to manage and control the deployment of SecureVM.  It integrates seamlessly with key management solutions such as RSA Data Protection Manager or can use Active Directory Server as a key store. CloudLink Centre can run in the private part of a hybrid cloud on Hyper-V, other virtualization platforms, or right here on Azure.

The SecureVM Agent is a small, lightweight Agent. The SecureVM Agent can be installed via Windows Group Policy, script-based deployment tools such as Chef and Puppet, as part of a pre-configured gold master image/template, or manually by server administrators. These flexible Agent deployment options enable customers to implement data protection in the way that best matches their operation models to the point where data encryption can be a completely automated process and part of the standard instance provisioning process.

Deployment of CloudLink SecureVM is straightforward and simple:

  1. Deploy CloudLink Center VHD in Azure or on premise in Hyper-V or other virtualization environment.
  2. Deploy SecureVM agent on the VMs in Azure, manually, or automatically via AD group policy or Chef/Puppet scripts (mxi package of SecureVM is contained within CloudLink Center and is accessible via a URL)
  3. Configure IP addresses for VMs on which you plan to deploy SecureVM agent by adding them to the Accepted List in CloudLink Center in order to authorize the boot automatically or manually approve the boot request from SecureVM agents.
  4. Manage and monitor SecureVMs via CloudLink Center.


The diagram below illustrates the SecureVM boot process in Azure:


For more information please follow