Blog

How to Encrypt Block Storage in the Cloud with SecureCloud

By Rich

This is a bit of a different post for me. One exercise in the CCSK Enhanced Class which we are developing for the Cloud Security Alliance is to encrypt a block storage (EBS) volume attached to an AWS instance.

There are a few different ways to do this but we decided on Trend Micro’s SecureCloud service for a couple reasons. First of all, setting it up is something we can handle within the time constraints of the class. The equivalent process with TrueCrypt or some other native encryption services within our AWS instance would take more time than we have, considering the CCSK Enhanced class is only one day and covers a ton of material. The other reason is that it supports my preferred architecture for encryption: the key server is separate from the encryption engine, which is separate from the data volume. This is actually pretty complex to set up using free/open source tools. Finally, they offer a free 60-day trial.

The downside is that I don’t like using a vendor-specific solution in a class since it could be construed as endorsement. So please keep in mind that a) there are other options, and b) the fact that we use the tool for the class doesn’t mean this is the best solution for you. Ideally we will rotate tools as the class develops. For example, Porticor is a new company focusing on cloud encryption, and Vormetric is coming out with cloud-focused encryption. I think one of the other “V” companies is also bringing a cloud encryption product out this week.

That said, SecureCloud does exactly what we need for this exercise. Especially since it’s SaaS based, which makes setting it up in the classroom much easier.

Here’s how it works:

  • The SaaS service manages keys and users.
  • There is a local proxy AMI you instantiate in the same availability zone as your main instances and EBS volumes.
  • Agents for Windows Server 2008 or CentOS implement the encryption operations.
  • When you attach a volume, the agent requests a key from the proxy which communicates with the SaaS server. Once you approve the operation the key is sent back to the proxy, and then the agent, for local decryption. The keys are never stored locally in your availability zone, only used at the time of the transaction.
  • You can choose to manually or automatically allow key delivery based on a variety of policies. This does, for example, give you control of multiple instances of the same image connecting to the encrypted volume on a per-instance basis. Someone can’t pull your image out of S3, run it, and gain access to the EBS volume, because the key is never stored with the AMI.

This is my preferred encryption model to teach – especially for enterprise apps – because it separates out the key management and encryption operations. The same basic model is the one most well-designed applications use for encrypting data – albeit normally at the data/database level, rather than by volume.

I’ve only tested the most basic features of the service and it works well. But there are a bunch of UI nits and the documentation is atrocious. It was much harder to get this up and running the first time than I expected.

Now for the meat. I’m posting this guide mostly for our students so they can cut and paste command lines, instead of having to do everything manually. So this is very specific to our class; but for the rest of you, once you run through the process you should be able to easily adjust it for your own requirements. Hopefully this will help fill the documentation gaps a bit… but you should still read Trend’s documentation, beacuse I don’t explain why I have you do all these steps.

This also covers 2 of the class exercises because I placed some of the requirements we need later for encryption into the first, more basic, exercise:


CCSK Enhanced Hands-on Exercises

Preparation (Windows only)

If you are a Windows user you must download an ssh client and update your key file to work with it.

  1. Download and run http://www.chiark.greenend.org.uk/~sgtatham/putty/latest/x86/putty-0.60-installer.exe.
  2. Go to Start > Program Files > PuTTY > PuTTYgen
  3. Click File, select *.*, and point it to your _name_.PEM key file.
  4. Click okay, and then Save Key, somewhere you will remember it.
  5. Download and install Firefox from http://mozilla.org.

Create your first cloud server

In this exercise we will launch our first AMI (Amazon Machine Image) Instance and apply basic security controls.

Steps

  1. Download and install ElasticFox: http://aws.amazon.com/developertools/609?_encoding=UTF8&jiveRedirect=1.
  2. Log into the AWS EC2 Console: https://console.aws.amazon.com/ec2/home.
  3. Go to Account, then Security Credentials. Note your Access Keys. Direct link is https://aws-portal.amazon.com/gp/aws/developer/account/index.html.
  4. Click X.509 Certificates. Click Create a new Certificate. Download both the private key and certificate files, and save them where you will remember them.
  5. In Firefox, go to Tools > ElasticFox.
  6. Click Credentials, and then enter your Access Key ID and Secret Access Key. Then click Add. You are now logged into your account.
  7. If you do not have your key pair (not the certificate key we just created, but the AWS key you created when you set up your account initially) on your current system, you will need to create a new key pair and save a copy locally. To do this, click KeyPairs and then click the green button to create a new pair. Save the file where you will remember it. If you lose this key file, you will no longer be able to access the associated AMIs.
  8. Click Images. Set your Region to us-east-1.
  9. Paste “ami-8ef607e7” into the Search box. You want the CentOS image.
  10. Click the green power button to launch the image. In the New Instance(s) Tag field enter CCSK_Test1. Choose the Default security group, and availability zone us-east-1.
  11. Click Launch. ElasticFox will switch to the Instances tab, and your instance will show as Pending.
  12. Right-click and select Connect to Instance. You will be asked to open the Private Key File you saved when you set up your account, or in step 6. (Windows users: make sure you followed the setup directions before this step).
  13. You will be prompted to open the ssh port: 22. Click Okay.
  14. Type yes when prompted in the terminal window. You are now securely logged into to your instance as root via ssh, authenticated with your key pair.

At this point you have a basic, secure instance running with only port 22 accessible. All access is via ssh, with authentication via public key cryptography. You can also create Windows instances, although the process takes longer, and you connect with Remote Desktop and an Administrator pasword. IT can take up to 20-30 minutes for AWS to configure a Windows system and make the password accessible, but you find it on the same right-click menu, which is also available in the EC2 web console.

Now we will explore IP addresses, domain names, Availability Zones, and Security Groups:

  1. Click the Security Groups tab. You should see default with basic rules. Note that these rules block everything except port 22, which you just opened.
  2. Click the green New Permission button on the right side. In the drop-down select https. For network, enter “0.0.0.0/0”. This opens port 443 to the entire Internet.
  3. Double-click the port 22 entry. Notice that the source CIDR is restricted to your current IP address.
  4. We will spend more time on security groups in later exercises.
  5. In the upper-left of ElasticFox is a Regions drop-down. Click it and select another region. Note how your security groups return to defaults, because each security group is specific to a single region. Region control can help with international regulatory requirements, by giving you some control over the physical locations of your data.
  6. Click Availability Zones. These are tied to your region, and it’s important for our exercises to create all your images and volumes in the same availability zone.
  7. VPN Gateways are used for Virtual Private Clouds, which are not generally Internet accessible. 8 Click Volumes and Snapshots. Volumes are block storage (EBS), and used for AMIs you want to configure and save. Snapshots are point-in-time images of a volume stored in Amazon S3. The ones you see are public snapshots you can base a new volume on.
  8. In the Created Volumes tab, click the green plus sign (+) to create a new volume. For size, enter 1 (GB). For availability zone, pick the zone used by your AMI. For tag enter CCSK-Encrypted. Click create.
  9. Create a snapshot of your instance.

This completes the first exercise. You should now understand Access Keys, Key Pairs, Digital Certificates, Security Groups, Availability Zones, Volumes, and how to securely connect to your Instance. These specifics vary between cloud providers, but the underlying processes are very similar.


Encrypt an EBS volume

For this exercise we will use a SaaS-based encryption service, because it maps well to our recommended encryption model, and is much faster than configuring it manually. We will use the Trend Micro Secure Cloud service.

  1. Go to http://us.trendmicro.com/us/solutions/enterprise/security-solutions/virtualization/securecloud/ and click Try Now.
  2. Register with your information and make sure you click the button to create a Trial download account.
  3. Check your email and open the message from Trend to validate your account.
  4. Copy your activation key and save it.
  5. Open a local terminal.
  6. Type “sftp -oIdentityFile=_your keyfile path_ root@_your AMI IP Address_”. Windows users: use PSFTP instead (part of the PuTTY suite).
  7. Type “put path to your certificate file /tmp/”.
  8. Type “put path to your certificate key file /tmp/”.
  9. Switch to your AMI terminal. Type “cd /tmp”. We will now install some prerequisite software.
  10. Type “wget http://www.trendmicro.com/ftp/products/securecloud/c9agent-1.0.0.1261-1.i386.rpm”.
  11. Type “wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm”.
  12. Type “rpm -ivh rpmforge-release-0.5.1-1.el5.rf.i386.rpm”.
  13. Type the following commands:
yum -y install gcc automake autoconf libtool make e2fsprogs-devel
wget http://cryptsetup.googlecode.com/files/cryptsetup-1.0.7.tar.bz2
tar -jxvf cryptsetup-1.0.7.tar.bz2
cd cryptsetup-1.0.7
./configure
make
make install
mv /sbin/cryptsetup /sbin/cryptsetup_bak
cp /usr/sbin/cryptsetup /sbin/cryptsetup

This completes preparation of the AMI. We will come back to it after we set up the Secure Cloud proxy server.

  1. In your web browser, open a new tab and go to https://console.securecloud.com/.
  2. Log in with the username and password you set up during registration.
  3. Click Administration > Account Management.
  4. Copy/note your Account ID.
  5. Click Product License. Enter your license code from the registration process.
  6. Go to ElasticFox > Images. Search on ami-8a7782e3. This is the AMI for Secure Cloud in our Region; the documentation lists the AMI for each region.
  7. Click the power button. Set the instance tag to SecureCloud.
  8. Go back to the SecureCloud console. Click Inventory > Devices > Add.
  9. Select Prepare a new device for encryption. Click Next.
  10. In ElasticFox, right-click your AMI labeled SecureCloud and then Copy public DNS name to clipboard.
  11. Back in SecureCloud, enter that name into the IP address/Hostname/DNS window. Click the button for The provisioning service is public. Click Connect. When prompted by your browser, accept the digital certificate (confirm the security exception).
  12. Upload your X.509 certificate and private key file. These are not saved by SecureCloud. Click Next and wait. You may need to refresh the screen to see it.
  13. You should now see your EBS volume listed, with a status of unencrypted. Click on it.
  14. Enter CCSK_Encrypted as the name. Set /dev/sdc as the mount point. Click Save. Wait, and occasionally click Refresh. This sometimes fails for me and I need to run through the process again. If you need to do this, do not click on the device again. Click the Encrypt button instead.
  15. Check the box for your device. Click the Encrypt button if you haven’t already.
  16. You may need to click the Refresh button in the window. Within a minute or less the state should be Encrypted.
  17. Go back to the terminal connected to your AMI. Type cd /tmp.
  18. Type “yum install --nogpgcheck c9agent-1.0.0.1261-1.i386.rpm”.
  19. Type y when prompted.
  20. Type /var/cloud9/config_main.sh
  21. Enter 1 for EC2. Then hit the Space bar to scroll through the license. At the end type yes.
  22. When prompted, paste in the SecureCloud Account ID we noted earlier.
  23. When promoted, your private key path is /tmp/_key file name_.
  24. Same for your certificate: /tmp/_certificate file name_.
  25. We want to add a read/write volume, so click Enter at the ReadOnly prompt.
  26. Go back to the SecureCloud management console. Copy the Device ID for your device and paste it into the ReadWrite field.
  27. Go back to ElasticFox. Reboot your CCSK_Test1 AMI by clicking the Reboot button (make sure you have the right AMI selected!)
  28. Reconnect to the image. Type cd /dev. Then ls. Notice that sdc doesn’t appear.
  29. Go back to the SecureCloud console. Click Running Instances. You may need to Refresh (use the button in the page, not your browser). You will then see your AMI with a Key Status of Pending. Click it, then Approve. If you Refresh, you will see Delivered when the key is sent to your AMI.
  30. Type ls, and /dev/sdc should appear.

Build a secure cloud-based application architecture

For this final exercise we would like you to design and implement a secure application architecture for ResearchCorp’s content delivery platform. Rather than walking you through it exactly, use the knowledge we’ve discussed to build it out yourself. There are three main application components:

  • The CDP application server
  • The CDP database
  • A customer database
  • The main web server/portal

Customers enter through the portal server, which is public. New customers can sign up and information goes securely into the customer database. All content is accessed through the CDP application server and the separate CDP database.

We are deliberately providing only limited information for this exercise, and the structure above might not even be optimal. Focus on the following:

  • What authentication and authorization should you use for customers?
  • How should you arrange your instances, and in what security groups?
  • What is your threat model?
  • Do you need encryption? Where?
  • What additional security controls would you consider and where would you locate them?

Once you sketch this out, go into ElasticFox and create the proper security groups with the appropriate ports. If you have the time and inclination, you can then install instances into these locations, but that isn’t required.

No Related Posts
Comments

Slight correction on the “Proxy AMI” statement. The purpose of the Provisioning AMI is to provisioning the disk volumes for encryption. The agents communicate directly with the Key Manager.

A Quick Start guide can be downloaded from our site which customers have find helpful in getting started: http://www.trendmicro.com/ftp/documentation/guides/SC11_QRG_SaaS.pdf

By Gavin Hill


By the way, as an added note to the previous post, a “getting started” guide is on

http://www.porticor.com/2011/03/how-to-get-started-with-security-and-privacy-on-amazon-web-services/

Customers have found it helpful…

By gilad


Thanks for the mention of Porticor. Just as an enhancement to your article, a few points:

- Porticor fully implements your preferred architecture that “separates out the key management and encryption operations”; we entirely agree with your philosophy
- we think our UI is pretty cool and self-explanatory, so try it out :-)
- a public offering is now available and works out-of-the-box on AWS; see
http://www.porticor.com/register

Again, thanks for the friendly mention.

By Gilad


Hi folks,

As ever sources matter may I please draw your attention to

Latest news

2010-05-17 Google listing confusion

Several users have pointed out to us recently that the top Google hit for “putty” is now not the official PuTTY site but a mirror that used to be listed on our Mirrors page.

The official PuTTY web page is still where it has always been:

http://www.chiark.greenend.org.uk/~sgtatham/putty/

By Nut tucker


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.