从加密的CentOS 7.5 VM生成映像？ [英] Generate Image from encrypted CentOS 7.5 VM?

问题描述

TL; DR：我想从加密的Linux VM创建映像，以减少创建新计算机时的加密开销。建议的方法是什么？

这就是我做的：

I使用Azure提供的ADE扩展成功地对虚拟机进行了加密。我使用了以下设置（没有KEK）：

 {
" EncryptionOperation"：" EnableEncryption"，
" ; KeyVaultURL"："< azure key vault url>"，
" KeyVaultResourceId"："< azure key vault id>"，
" KeyEncryptionKeyURL"：null，
"KekVaultResourceId"：""，
" KeyEncryptionAlgorithm"：" RSA-OAEP"，
" VolumeType"：" All"，
" SequenceVersion" ："1" 
} 

这花了将近2个小时才完成（30GB操作系统，128GB数据）。为了创建图像，我使用了以下命令。

 [root @ encrypted-vm~] #waagent -deprovision + user 
 [root @ encrypted-vm~] #exit 
 [user @ local-machine~] $ az vm deallocate --resource-group myResourceGroup --name myVM 
 [user @ local-machine~] $ az vm generalize --resource-group myResourceGroup --name myVM 
 [user @ local-machine~] $ az image create --resource-group myResourceGroup --name myImage --source myVM 

创建映像后，我可以从中启动一个新的虚拟机。机器启动后，操作系统自动解密。附加的数据磁盘没有安装，但azure_bek_disk似乎只是一个vfat文件系统，我们可以
mount。

 [root @ vm-from-img~] #lsblk -o NAME，TYPE，FSTYPE，LABEL，SIZE，RO，MOUNTPOINT 
名称类型FSTYPE标签尺寸RO MOUNTPOINT 
 fd0磁盘4K 0 
 sda磁盘30G 0 $ b $b├─sda1部分xfs 500M 0 / boot $ b $b└─sda2部分29.5G 0 $ b $b└─osencryptcrypt xfs 29.5G 0 / 
 sdb disk 16G 0 
 └─sdb1部分ext4 16G 0 / mnt /资源
 sdc磁盘48M 0 $ b $b└─sdc1部分vfat BEK VOLUME 47M 0 
 sdd disk 128G 0 $ b $b└─sdd1部分crypto_LUKS 128G 0 
 sr0 rom 628K 0 

所以为了安装数据盘我只是做了

 [root @vm -from-img~] #mount / dev / sdc1 / mnt / azure_bek_disk / 
 [root @ vm-from-img~] #cryptsetup luksOpen / dev / disk / azure / scsi1 / lun0-part1 datadisk1 -d / mnt / azure_bek_disk / LinuxPassPhraseFileName -q 
 [root @vm-from-img~] #mount / dev / mapper / datadisk1 / datadisks / disk1 -t ext4 

这很好用：

 [root @ vm-from-img~] #lsblk -o NAME，TYPE，FSTYPE，LABEL，SIZE，RO， MOUNTPOINT 
名称类型FSTYPE标签尺寸RO MOUNTPOINT 
 fd0磁盘4K 0 
 sda磁盘30G 0 $ b $b├─sda1部分xfs 500M 0 / boot $ b $b└─sda2部分29.5 G 0 $ b $b└─osencryptcrypt xfs 29.5G 0 / 
 sdb disk 16G 0 $ b $b└─sdb1部分ext4 16G 0 / mnt /资源
 sdc磁盘48M 0 $ b $b└─sdc1部分vfat BEK VOLUME 47M 0 / mnt / azure_bek_disk 
 sdd disk 128G 0 
 └─sdd1部分crypto_LUKS 128G 0 $ b $b└─datadisk1cryptext4 128G 0 / datadisks / disk1 
 sr0 rom 628K 0 

但等待... 为什么BEK磁盘上的密钥没有加密？机器在哪里获得解密操作系统分区的秘密？

我玩了一下，删除了我的Vault策略中的所有GET权限并启动了另一台机器。与上面相同的图片。

当我删除KeyVault时，机器无法启动，我收到以下错误（到目前为止一直很好！）

供应失败。使用URL从密钥保险库检索密钥时遇到未知错误：https：//azrm-key-vault-2.vault.azure.net/secrets/6b9a9444-c5db-4c87-91bd-366b5774e194/85f03b9cb3314592994e22a840fc5695 .. DiskEncryptionInternalError 

这一切是如何由Azure处理的？ VM如何针对Vault进行身份验证？如何确保不允许其他虚拟机访问机密？

是否还有另一个扩展来自动挂载加密数据磁盘？

我注意到的另一件事是，从映像启动新计算机时，磁盘未标记为已加密。既不是在Azure门户中，也不是通过CLI"az vm encryption show"。命令。我该如何解决这个问题？这是一个错误吗？

我认为关于ADE的可用文档非常混乱，缺乏很多细节。我搜索了几个小时，以了解其他人如何加密他们在Azure上的图像和机器，但似乎没有人覆盖我的用例。使用Cloud可以灵活地获得
，但是每次创建一台我打算只使用几个小时的新机器并且之后扔掉它时，我不能等待2个小时。

是否有可用的文档超出常规Azure文档？

解决方案

延迟响应道歉！

 

不支持您尝试的设置。
不支持自定义图片，您可以参考
ADE FAQ

 

我可以在我的自定义Linux映像上应用Azure磁盘加密？

您无法在自定义Linux映像上应用Azure磁盘加密。仅支持先前调用的受支持发行版
的库Linux图像。目前不支持自定义Linux映像。

 

加密过程必须分别在每个VM中完成。在泛化过程中，几个重要的配置
被擦除，你可以在错误中看到/ var / lib / azure_disk_config下不存在某些文件（可能甚至整个目录都不存在）

您可以验证此部分，但即使是数据磁盘UUID也可能不同，这是另一个额外因素这种方法失败

您可以使用azure自动化方法自动执行加密过程，而不是尝试创建广义图像：
以下是唯一支持的工作流程：

1）VM从门户部署（使用官方认可的图像发行版和ADE支持的操作系统版本）

2）在操作系统级别添加和配置数据磁盘（使用UUID）

3）VM加密

他们可以使用PS，CLI和ARM模板自动完成该过程，但是通用图像不是一个好方法。

 

      
目前支持工作流程是创建一个新的VM，加密之后再进行自定义或应用程序设置。该过程可以通过脚本自动完成，但是加密操作系统和数据磁盘需要时间。我们正在努力改进这个
流程，但此时这是如何当前的解决方案是有效的。我们过去对此进行了测试，需要大量的手动工作（每次互动）才能使其正常工作，所以现在不建议这样做。

 

为什么BEK磁盘上的密钥没有加密？机器在哪里获得解密操作系统分区的秘密？

 

      
如果您使用的是单程（最新版本的扩展），由hyper-v主机从keyvault中提取KEY或机密，并使用BEK卷呈现给VM（在操作系统的情况下，该操作发生在启动过程的早期阶段
） hyperv主机必须查找的加密设置嵌入到操作系统磁盘和initramfs中。如果你使用没有BEK的密钥，密码以纯文本形式显示。为了更加安全，你可以使用KEK选项（这是
可选但推荐的），负责包装秘密。

 

你可以在这里阅读更多相关内容：

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview

TL;DR: I want to create an image from an encrypted Linux VM to reduce the encryption overhead when creating a new machine. What is the proposed way to do this?

This is what I did:

I've sucessfully encrypted a virtual machine using the ADE extension provided by Azure. I used the following settings (no KEK):

{
    "EncryptionOperation": "EnableEncryption",
    "KeyVaultURL": "<azure key vault url>",
    "KeyVaultResourceId": "<azure key vault id>",
    "KeyEncryptionKeyURL": null,
    "KekVaultResourceId": "",
    "KeyEncryptionAlgorithm": "RSA-OAEP",
    "VolumeType": "All",
    "SequenceVersion": "1"
}

This took almost 2 hours to finish (30GB OS, 128GB Data). To create an image I used the following commands.

[root@encrypted-vm ~]# waagent -deprovision+user
[root@encrypted-vm ~]# exit
[user@local-machine ~]$ az vm deallocate --resource-group myResourceGroup --name myVM
[user@local-machine ~]$ az vm generalize --resource-group myResourceGroup --name myVM
[user@local-machine ~]$ az image create --resource-group myResourceGroup --name myImage --source myVM

After the image was created I was able to start a new virtual machine from it. After the machine booted up, the OS was decrypted automatically. The additional data disk was not mounted but the azure_bek_disk seems to be just a vfat file system which we can mount.

[root@vm-from-img ~]# lsblk -o NAME,TYPE,FSTYPE,LABEL,SIZE,RO,MOUNTPOINT
NAME          TYPE  FSTYPE      LABEL       SIZE RO MOUNTPOINT
fd0           disk                            4K  0
sda           disk                           30G  0
├─sda1        part  xfs                     500M  0 /boot
└─sda2        part                         29.5G  0
  └─osencrypt crypt xfs                    29.5G  0 /
sdb           disk                           16G  0
└─sdb1        part  ext4                     16G  0 /mnt/resource
sdc           disk                           48M  0
└─sdc1        part  vfat        BEK VOLUME   47M  0
sdd           disk                          128G  0
└─sdd1        part  crypto_LUKS             128G  0
sr0           rom                           628K  0

So to get the datadisk mounted I just did

[root@vm-from-img ~]# mount /dev/sdc1 /mnt/azure_bek_disk/
[root@vm-from-img ~]# cryptsetup luksOpen /dev/disk/azure/scsi1/lun0-part1 datadisk1 -d /mnt/azure_bek_disk/LinuxPassPhraseFileName -q
[root@vm-from-img ~]# mount /dev/mapper/datadisk1 /datadisks/disk1 -t ext4

This works great:

[root@vm-from-img ~]# lsblk -o NAME,TYPE,FSTYPE,LABEL,SIZE,RO,MOUNTPOINT
NAME          TYPE  FSTYPE      LABEL       SIZE RO MOUNTPOINT
fd0           disk                            4K  0
sda           disk                           30G  0
├─sda1        part  xfs                     500M  0 /boot
└─sda2        part                         29.5G  0
  └─osencrypt crypt xfs                    29.5G  0 /
sdb           disk                           16G  0
└─sdb1        part  ext4                     16G  0 /mnt/resource
sdc           disk                           48M  0
└─sdc1        part  vfat        BEK VOLUME   47M  0 /mnt/azure_bek_disk
sdd           disk                          128G  0
└─sdd1        part  crypto_LUKS             128G  0
  └─datadisk1 crypt ext4                    128G  0 /datadisks/disk1
sr0           rom                           628K  0

But wait... Why is the key on the BEK disk not encrypted? And where does the machine gets its secret to decrypt the OS partition?

I played around a little bit and removed all the GET permissions from my Vault policies and booted up another machine. Same picture as above.

When I delete the KeyVault, the machine cannot boot and I get the following error (so far so good!)

Provisioning failed. Unknown error encountered when retrieving secret from the Key Vault with URL: https://azrm-key-vault-2.vault.azure.net/secrets/6b9a9444-c5db-4c87-91bd-366b5774e194/85f03b9cb3314592994e22a840fc5695.. DiskEncryptionInternalError

How is this all handled by Azure? How does the VM authenticate against the Vault? How can I make sure other VMs are not allowed to access the secrets?

Is there another extension to automatically mount encrypted data disks?

Another thing I noticed is, that when starting a new machine from the image, the disks are not marked as encrypted. Neither in the Azure portal, nor via the CLI "az vm encryption show" command. How can I fix that? Is that a bug?

I think the available documentation on ADE is pretty confusing and lacks a lot of details. I searched for hours to find out how others encrypt their images and machines on Azure but no one seems to be covering my use case. Using the Cloud is about beeing flexible but I can't afford to wait 2 hours each time I create a new machine which I intend to use for a few hours only and throw it away afterwards.

Is there any documentation available that goes beyond the regular Azure docs?

解决方案

Apologies for the delay response!

 

The setup you are trying is not supported. Custom images are not supported, You may refer to ADE FAQ

 

Can I apply Azure Disk Encryption on my custom Linux image?

You can't apply Azure Disk Encryption on your custom Linux image. Only the gallery Linux images for the supported distributions called out previously are supported. Custom Linux images aren't currently supported.

 

The encryption process must be done in each of the VMs individually. During the generalization process several important configurations are wiped, you can see in the error there are certain files that don't exists under /var/lib/azure_disk_config (probably even the whole directory does not exists)

You can validate this part, but even the data disk UUIDs may be different, another extra factor to have this method failing

You can automate the encryption process using azure automation methods instead of trying to create generalized images: Below is the only supported work flow:

1) VM is deployed from the portal (using an official endorse image distribution and an OS version supported by ADE )

2) Data disks are added and configured at OS level (using UUIDs)

3) VM is encrypted

They could automate that process with PS, CLI, and ARM templates, but a generalized image is not a good approach.

 

       Currently the support work flow is to create a new VM, encrypt it and then do customizations or apps setup afterwards. The process could be automated with scripts, but it will take time to encrypt the OS and data disks. We are working on improving this process, but at this moment this is how the current solution works. We tested this in the past and it needs lots of manual work (on every interaction) to make it work, so it’s not recommended at this moment.

 

Why is the key on the BEK disk not encrypted? And where does the machine gets its secret to decrypt the OS partition?

 

       If you are using single-pass (the latest version of the extension), the KEY or secret is extracted from the keyvault by the hyper-v host and presented to the VM using a BEK volume (in the case of the OS, that operation happens during at early phases of the boot process). The encryption settings the hyper-v host must look for, are embedded into the OS disk and initramfs. If you are using a key without BEK, the passphrase is presented in plain text. For extra security you can use the KEK option (which is optional but recommended) which takes care of wrapping the secret.

 

You can read more about this over here: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview

KEK	密钥加密密钥（KEK）是非对称密钥（RSA 2048），可用于保护或包装秘密。您可以提供硬件安全模块（HSM）保护 密钥或受软件保护的密钥。有关详细信息，请参阅  天青 Key Vault  文档。

KEK	Key encryption key (KEK) is the asymmetric key (RSA 2048) that you can use to protect or wrap the secret. You can provide a hardware security module (HSM)-protected key or software-protected key. For more information, see the Azure Key Vault documentation.

这篇关于从加密的CentOS 7.5 VM生成映像？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！