none
A few questions about disk encryption for Linux - large customer with thousands of Linux VMs on-prem RRS feed

  • Question

  • Hi Team,

    I spent a lot of time going through the materials we have all about encryption with Linux.  I am still confused on what guidance to provide my customer on their thousands of on-prem Linux VMs (they wish to migrate them into azure) and for creating new Linux VMs.

    For the existing Linux VMs:

    • RHEL 7.4 and above.
    • Do not use a Pay as you Go (since they are on-prem) since they are on-prem
    • They use encryption already (not DM-Crypt)

    For new Linux VMs:

    • They are using a custom image built from on-prem
    • RHEL 7.6
    • Do not use a Pay as you Go since they are an enterprise customer with a subscription already with RedHat
    • They want to use ADE

    Based upon everything I read, we will have major problems here

    • on-prem Linux images will not be able to be encrypted, which puts our migration into jeopardy
    • based on this, if they continue using their other encryption technology, I am assuming they cannot use Azure Backup/Restore, along with possible other Azure features (like any extension that requires access to their file system?)
    • new Linux images that have been deployed cannot be encrypted

    Please provide guidance!  Thanks!

    Friday, August 2, 2019 12:58 PM

Answers

  • After working closely with the Microsoft platform team:

    - If you deviate from official Microsoft documentation, your support will be best effort.  However, considering ADE exists above the IaaS layer, this is in a shared responsibility region of a support model.  Best effort, then support may also be needed by the OS vendor (Red Hat, etc).

    - If you can get disk encryption working, be sure to test backups and restores as well (paying close attention to the documentation as well.



    data

    • Marked as answer by JeffD1231 Tuesday, August 13, 2019 7:32 AM
    Tuesday, August 13, 2019 7:32 AM

All replies

  • Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    Can you also clarify how the encryption is currently being done on-prem?

    For the existing Linux VMs:

    • RHEL 7.4 and above.
    • Do not use a Pay as you Go (since they are on-prem) since they are on-prem
    • They use encryption already (not DM-Crypt)

    For this case, they cannot use AZURE DISK ENCRYPTION, because there would be conflicts between with the existing one and it is recommended to keep only one method of Encryption. (Either their encryption method (or) ADE of Azure)

    For new Linux VMs:

    • They are using a custom image built from on-prem
    • RHEL 7.6
    • Do not use a Pay as you Go since they are an enterprise customer with a subscription already with RedHat
    • They want to use ADE

    For this case, have you checked what is the layout of the OSDisk, what is the type of file system on the datadisk.

    Based on that we can give recommendation on how they can customize it enable encryption on it.

    If you are following the recommendations and pre-requisites, we have seen are you able to encrypt the vm. But we would like to know the Disk layout first.

    • based on this, if they continue using their other encryption technology, I am assuming they cannot use Azure Backup/Restore, along with possible other Azure features (like any extension that requires access to their file system?)

    If we can install the waagent and then we believe the backup can be done, but we will check this part once.

    • new Linux images that have been deployed cannot be encrypted

    As stated earlier, we need to the Disk Layout and then only we can comment on that part.

    Based on that we can give recommendation on how they can customize it enable encryption on it.

    If they follow the recommendations and pre-requisites, we have seen are you able to encrypt the vm. But we would like to know the Disk layout first.

    Tuesday, August 6, 2019 3:06 PM
    Moderator
  • If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

    Thursday, August 8, 2019 7:38 AM
    Moderator
  • Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Tuesday, August 13, 2019 5:38 AM
    Moderator
  • After working closely with the Microsoft platform team:

    - If you deviate from official Microsoft documentation, your support will be best effort.  However, considering ADE exists above the IaaS layer, this is in a shared responsibility region of a support model.  Best effort, then support may also be needed by the OS vendor (Red Hat, etc).

    - If you can get disk encryption working, be sure to test backups and restores as well (paying close attention to the documentation as well.



    data

    • Marked as answer by JeffD1231 Tuesday, August 13, 2019 7:32 AM
    Tuesday, August 13, 2019 7:32 AM