How to Encrypt Block Storage in the Cloud with SecureCloudBy Rich
This is a bit of a different post for me. One exercise in the CCSK Enhanced Class which we are developing for the Cloud Security Alliance is to encrypt a block storage (EBS) volume attached to an AWS instance.
There are a few different ways to do this but we decided on Trend Micro’s SecureCloud service for a couple reasons. First of all, setting it up is something we can handle within the time constraints of the class. The equivalent process with TrueCrypt or some other native encryption services within our AWS instance would take more time than we have, considering the CCSK Enhanced class is only one day and covers a ton of material. The other reason is that it supports my preferred architecture for encryption: the key server is separate from the encryption engine, which is separate from the data volume. This is actually pretty complex to set up using free/open source tools. Finally, they offer a free 60-day trial.
The downside is that I don’t like using a vendor-specific solution in a class since it could be construed as endorsement. So please keep in mind that a) there are other options, and b) the fact that we use the tool for the class doesn’t mean this is the best solution for you. Ideally we will rotate tools as the class develops. For example, Porticor is a new company focusing on cloud encryption, and Vormetric is coming out with cloud-focused encryption. I think one of the other “V” companies is also bringing a cloud encryption product out this week.
That said, SecureCloud does exactly what we need for this exercise. Especially since it’s SaaS based, which makes setting it up in the classroom much easier.
Here’s how it works:
- The SaaS service manages keys and users.
- There is a local proxy AMI you instantiate in the same availability zone as your main instances and EBS volumes.
- Agents for Windows Server 2008 or CentOS implement the encryption operations.
- When you attach a volume, the agent requests a key from the proxy which communicates with the SaaS server. Once you approve the operation the key is sent back to the proxy, and then the agent, for local decryption. The keys are never stored locally in your availability zone, only used at the time of the transaction.
- You can choose to manually or automatically allow key delivery based on a variety of policies. This does, for example, give you control of multiple instances of the same image connecting to the encrypted volume on a per-instance basis. Someone can’t pull your image out of S3, run it, and gain access to the EBS volume, because the key is never stored with the AMI.
This is my preferred encryption model to teach – especially for enterprise apps – because it separates out the key management and encryption operations. The same basic model is the one most well-designed applications use for encrypting data – albeit normally at the data/database level, rather than by volume.
I’ve only tested the most basic features of the service and it works well. But there are a bunch of UI nits and the documentation is atrocious. It was much harder to get this up and running the first time than I expected.
Now for the meat. I’m posting this guide mostly for our students so they can cut and paste command lines, instead of having to do everything manually. So this is very specific to our class; but for the rest of you, once you run through the process you should be able to easily adjust it for your own requirements. Hopefully this will help fill the documentation gaps a bit… but you should still read Trend’s documentation, beacuse I don’t explain why I have you do all these steps.
This also covers 2 of the class exercises because I placed some of the requirements we need later for encryption into the first, more basic, exercise:
CCSK Enhanced Hands-on Exercises
Preparation (Windows only)
If you are a Windows user you must download an
ssh client and update your key file to work with it.
- Download and run http://www.chiark.greenend.org.uk/~sgtatham/putty/latest/x86/putty-0.60-installer.exe.
- Go to Start > Program Files > PuTTY > PuTTYgen
- Click File, select *.*, and point it to your _name_
- Click okay, and then Save Key, somewhere you will remember it.
- Download and install Firefox from http://mozilla.org.
Create your first cloud server
In this exercise we will launch our first AMI (Amazon Machine Image) Instance and apply basic security controls.
- Download and install ElasticFox: http://aws.amazon.com/developertools/609?_encoding=UTF8&jiveRedirect=1.
- Log into the AWS EC2 Console: https://console.aws.amazon.com/ec2/home.
- Go to Account, then Security Credentials. Note your Access Keys. Direct link is https://aws-portal.amazon.com/gp/aws/developer/account/index.html.
- Click X.509 Certificates. Click Create a new Certificate. Download both the private key and certificate files, and save them where you will remember them.
- In Firefox, go to Tools > ElasticFox.
- Click Credentials, and then enter your Access Key ID and Secret Access Key. Then click Add. You are now logged into your account.
- If you do not have your key pair (not the certificate key we just created, but the AWS key you created when you set up your account initially) on your current system, you will need to create a new key pair and save a copy locally. To do this, click KeyPairs and then click the green button to create a new pair. Save the file where you will remember it. If you lose this key file, you will no longer be able to access the associated AMIs.
- Click Images. Set your Region to
- Paste “
ami-8ef607e7” into the Search box. You want the CentOS image.
- Click the green power button to launch the image. In the New Instance(s) Tag field enter
CCSK_Test1. Choose the Default security group, and availability zone
- Click Launch. ElasticFox will switch to the Instances tab, and your instance will show as Pending.
- Right-click and select Connect to Instance. You will be asked to open the Private Key File you saved when you set up your account, or in step 6. (Windows users: make sure you followed the setup directions before this step).
- You will be prompted to open the
sshport: 22. Click Okay.
yeswhen prompted in the terminal window. You are now securely logged into to your instance as
ssh, authenticated with your key pair.
At this point you have a basic, secure instance running with only port 22 accessible. All access is via
ssh, with authentication via public key cryptography. You can also create Windows instances, although the process takes longer, and you connect with Remote Desktop and an Administrator pasword. IT can take up to 20-30 minutes for AWS to configure a Windows system and make the password accessible, but you find it on the same right-click menu, which is also available in the EC2 web console.
Now we will explore IP addresses, domain names, Availability Zones, and Security Groups:
- Click the Security Groups tab. You should see
defaultwith basic rules. Note that these rules block everything except port 22, which you just opened.
- Click the green New Permission button on the right side. In the drop-down select
https. For network, enter “0.0.0.0/0”. This opens port 443 to the entire Internet.
- Double-click the port 22 entry. Notice that the source CIDR is restricted to your current IP address.
- We will spend more time on security groups in later exercises.
- In the upper-left of ElasticFox is a Regions drop-down. Click it and select another region. Note how your security groups return to defaults, because each security group is specific to a single region. Region control can help with international regulatory requirements, by giving you some control over the physical locations of your data.
- Click Availability Zones. These are tied to your region, and it’s important for our exercises to create all your images and volumes in the same availability zone.
- VPN Gateways are used for Virtual Private Clouds, which are not generally Internet accessible. 8 Click Volumes and Snapshots. Volumes are block storage (EBS), and used for AMIs you want to configure and save. Snapshots are point-in-time images of a volume stored in Amazon S3. The ones you see are public snapshots you can base a new volume on.
- In the Created Volumes tab, click the green plus sign (+) to create a new volume. For size, enter 1 (GB). For availability zone, pick the zone used by your AMI. For tag enter
CCSK-Encrypted. Click create.
- Create a snapshot of your instance.
This completes the first exercise. You should now understand Access Keys, Key Pairs, Digital Certificates, Security Groups, Availability Zones, Volumes, and how to securely connect to your Instance. These specifics vary between cloud providers, but the underlying processes are very similar.
Encrypt an EBS volume
For this exercise we will use a SaaS-based encryption service, because it maps well to our recommended encryption model, and is much faster than configuring it manually. We will use the Trend Micro Secure Cloud service.
- Go to http://us.trendmicro.com/us/solutions/enterprise/security-solutions/virtualization/securecloud/ and click Try Now.
- Register with your information and make sure you click the button to create a Trial download account.
- Check your email and open the message from Trend to validate your account.
- Copy your activation key and save it.
- Open a local terminal.
- Type “
sftp -oIdentityFile=_your keyfile path_
root@_your AMI IP Address_”. Windows users: use PSFTP instead (part of the PuTTY suite).
- Type “
putpath to your certificate file
- Type “
putpath to your certificate key file
- Switch to your AMI terminal. Type “
cd /tmp”. We will now install some prerequisite software.
- Type “
- Type “
- Type “
rpm -ivh rpmforge-release-0.5.1-1.el5.rf.i386.rpm”.
- Type the following commands:
yum -y install gcc automake autoconf libtool make e2fsprogs-devel wget http://cryptsetup.googlecode.com/files/cryptsetup-1.0.7.tar.bz2 tar -jxvf cryptsetup-1.0.7.tar.bz2 cd cryptsetup-1.0.7 ./configure make make install mv /sbin/cryptsetup /sbin/cryptsetup_bak cp /usr/sbin/cryptsetup /sbin/cryptsetup
This completes preparation of the AMI. We will come back to it after we set up the Secure Cloud proxy server.
- In your web browser, open a new tab and go to https://console.securecloud.com/.
- Log in with the username and password you set up during registration.
- Click Administration > Account Management.
- Copy/note your Account ID.
- Click Product License. Enter your license code from the registration process.
- Go to ElasticFox > Images. Search on
ami-8a7782e3. This is the AMI for Secure Cloud in our Region; the documentation lists the AMI for each region.
- Click the power button. Set the instance tag to
- Go back to the SecureCloud console. Click Inventory > Devices > Add.
- Select Prepare a new device for encryption. Click Next.
- In ElasticFox, right-click your AMI labeled SecureCloud and then Copy public DNS name to clipboard.
- Back in SecureCloud, enter that name into the IP address/Hostname/DNS window. Click the button for The provisioning service is public. Click Connect. When prompted by your browser, accept the digital certificate (confirm the security exception).
- Upload your X.509 certificate and private key file. These are not saved by SecureCloud. Click Next and wait. You may need to refresh the screen to see it.
- You should now see your EBS volume listed, with a status of unencrypted. Click on it.
CCSK_Encryptedas the name. Set
/dev/sdcas the mount point. Click Save. Wait, and occasionally click Refresh. This sometimes fails for me and I need to run through the process again. If you need to do this, do not click on the device again. Click the Encrypt button instead.
- Check the box for your device. Click the Encrypt button if you haven’t already.
- You may need to click the Refresh button in the window. Within a minute or less the state should be Encrypted.
- Go back to the terminal connected to your AMI. Type
- Type “
yum install --nogpgcheck c9agent-22.214.171.1241-1.i386.rpm”.
1for EC2. Then hit the Space bar to scroll through the license. At the end type
- When prompted, paste in the SecureCloud Account ID we noted earlier.
- When promoted, your private key path is
/tmp/_key file name_.
- Same for your certificate:
/tmp/_certificate file name_.
- We want to add a read/write volume, so click Enter at the
- Go back to the SecureCloud management console. Copy the Device ID for your device and paste it into the
- Go back to ElasticFox. Reboot your CCSK_Test1 AMI by clicking the Reboot button (make sure you have the right AMI selected!)
- Reconnect to the image. Type
cd /dev. Then
ls. Notice that
- Go back to the SecureCloud console. Click Running Instances. You may need to Refresh (use the button in the page, not your browser). You will then see your AMI with a Key Status of Pending. Click it, then Approve. If you Refresh, you will see Delivered when the key is sent to your AMI.
Build a secure cloud-based application architecture
For this final exercise we would like you to design and implement a secure application architecture for ResearchCorp’s content delivery platform. Rather than walking you through it exactly, use the knowledge we’ve discussed to build it out yourself. There are three main application components:
- The CDP application server
- The CDP database
- A customer database
- The main web server/portal
Customers enter through the portal server, which is public. New customers can sign up and information goes securely into the customer database. All content is accessed through the CDP application server and the separate CDP database.
We are deliberately providing only limited information for this exercise, and the structure above might not even be optimal. Focus on the following:
- What authentication and authorization should you use for customers?
- How should you arrange your instances, and in what security groups?
- What is your threat model?
- Do you need encryption? Where?
- What additional security controls would you consider and where would you locate them?
Once you sketch this out, go into ElasticFox and create the proper security groups with the appropriate ports. If you have the time and inclination, you can then install instances into these locations, but that isn’t required.