Disk encryption on OrionVM virtual servers

Disk encryption is a method of protecting stored data from unauthorised access and modification. This post explores a few different approaches for implementing it on OrionVM virtual infrastructure, important limitations to consider, and how it may fit into an overall cloud security strategy.

NOTE: This should only be considered a high-level overview. System administrators are responsible for any software installed in their systems, and are expected to perform due diligence whenever implementing security policies for their infrastructure and organisations.

A disk encryption primer

Disk encryption is one of many technologies used to help secure modern cloud infrastructure. While SSH, SSL/TLS, and VPNs protect data from unauthorised access and modification in flight between systems, disk encryption is designed to protect data at rest. A person without the requisite symmeric key cannot feasibly retrieve data from an encrypted disk, nor modify the disk without it being detectable.

Disk encryption tools operate by intercepting requests to and from the target disk, encrypting and decrypting data on the fly as required. These actions are performed transparently to any running software or users, making them an easy feature to administer.

Tools available

  • Windows Server includes BitLocker, which can be activated via Server Manager or PowerShell. An alternative is VeraCrypt, an open source tool that has been independently audited.
  • Linux disks can be encrypted with LUKS, the Linux Unified Key Setup. Every Linux distribution available by default on the OrionVM platform include support for the LUKS toolchain.
  • FreeBSD now includes native ZFS encryption as of 13-RELEASE, which also includes additional integrity features. This makes it perfect for securely storing and exporting data to Windows Server VMs with Samba without additional licence overhead.
  • NetBSD includes CGD, the Cryptographic Device Driver. This can be installed in conjunction with ZFS, or NetBSD’s native UFS.

Caveats and considerations

It’s important to note that disks need to be mounted to be of use, meaning any unauthorised user who gains access to your running VM can also decrypt data. In James T. Reason’s Swiss Cheese Model, disk encryption should be treated as an additional slice of security, but is insufficient by itself to secure a cloud environment. You wouldn’t trust a car without brakes just because you’re wearing a seat belt.

VMs with encrypted boot devices can also impact uptime without careful monitoring. System administrators may need to log into the cloud portal and use the out-of-band console to enter the decryption key for a rebooted VM to come back online. Effective cloud monitoring will be a subject for a future post.

And finally, it should go without saying that encrypted disks cannot be decrypted in the event of a lost or forgotten key, unless said key was so weak as to render the entire exercise pointless. OrionVM’s intelligent, charismatic, and modest support team do great work, but are bound by the same laws of mathematics and time you are.

Conclusion

Used appropriately, disk encryption offers a useful additional layer of security for guest workloads. Try out your preferred method on a new VM to get a feel for how they work, or contact your OrionVM partner manager for a call to discuss your specific requirements.