Encrypting Azure Virtual Machines with CloudLink SecureVM

已于 十一月 13, 2014 发布

Program Manager, Azure Compute VM
In this series of blogs, we will take a look at the new security extensions announced as part of TechEd Europe.  First up is the CloudLink SecureVM Agent which enables for disk encryption for your Azure Virtual Machines.  If you are not familiar with how to use or install extensions, please read the earlier blog post Deploying Antimalware Solutions on Azure Virtual Machines from my colleague Kundana Palagiri.  You can install the CloudLink SecureVM Agent either through PowerShell or through the Portal, both of which are described below.

CloudLink SecureVM Agent Overview

The CloudLink SecureVM Agent for Windows provides integration with CloudLink Center for management of disk encryption. CloudLink SecureVM leverages the native BitLocker encryption functionality in Windows to fully protect Azure Virtual Machines. In order to use CloudLink SecureVM Agent, you will need a licensed CloudLink Center for the number of nodes to be protected by SecureVM. For more information on CloudLink’s Azure offerings, please take a look at this blog post from CloudLink.

Pre-requisites, setting up CloudLink Center

Before setting up CloudLink SecureVM Agent on your virtual machine, you first need to have a CloudLink Center server running. CloudLink offers two pre-licensed images as part of the Microsoft Azure Certified program with either a 5-node or a 25-node license.  Please refer to CloudLink's Deployment Guide for more details on configuring you CloudLink Center server. Please make sure the network is configured so that your CloudLink Center server can communicate with the virtual machines you plan to protect such as by having the CloudLink Center server and the virtual machines all on either the same subnet or virtual network.

Installing CloudLink SecureVM Agent through PowerShell

  1. Create a config JSON file pointing to your CloudLink Center server, here is a sample:
        "CloudLinkCenter": "<IP or FQDN to your CloudLinkCenter>"
  2. Save the above to a file on your local disk such as “c:\cloudlink.config”
  3. Run the following in PowerShell:
    # Get the VM
    $vm = Get-AzureVM –ServiceName $servicename –Name $name
    # Add CloudLink SecureVM Agent to the Virtual Machine
    Set-AzureVMExtension -Publisher CloudLink.SecureVM -ExtensionName CloudLinkSecureVMWindowsAgent -Version 3.* -VM $vm.VM -PublicConfigPath c:\cloudlink.config
    # Update the VM which will install the CloudLink SecureVM Agent
    Update-AzureVM -Name $servicename -ServiceName $name -VM $vm.VM

Installing CloudLink SecureVM Agent through Portal

These new extensions are also available through the Azure Preview Portal which can be accessed here: https://portal.azure.com/ but not through the current portal.  The process of installing extensions through the preview portal is slightly different from before; if you have not used the preview portal to install extensions before, here is how you do it. First, select an existing virtual machine (or create a new one and select it after it is running) Next in the VM details blade, choose the Extensions box which is about midway down towards the left Encrypting Azure VM Disks with CloudLink SecureVM A new Extensions blade will pop-up with a list of the currently installed extensions, click on the “Add” button near the top Encrypting Azure VM Disks with CloudLink SecureVM Another new blade with a list of available extensions will appear Encrypting Azure VM Disks with CloudLink SecureVM Select the CloudLink SecureVM Agent extension and choose “Create”.  In the dialog blade that pops up please specify the CloudLink Center server the agent should connect to and then click on “Create”. Encrypting Azure VM Disks with CloudLink SecureVM After that, the agent will be deployed onto your machine and will begin protecting your data! Please give it a try and as always please let us know your comments and suggestions here.