CloudLink SecureVM 3.3 for Microsoft Azure Deployment Guide

CloudLink SecureVM 3.3 for Microsoft® Azure™ Deployment Guide March 2015 THIS DOCUMENT CONTAINS CONFIDENTIAL AND TRADE SECRET INFORMATION OF CLOUDLI...
Author: Herbert Lawson
4 downloads 2 Views 910KB Size
Report
Download PDF
CloudLink SecureVM 3.3 for Microsoft® Azure™ Deployment Guide March 2015

THIS DOCUMENT CONTAINS CONFIDENTIAL AND TRADE SECRET INFORMATION OF CLOUDLINK TECHNOLOGIES AND RECEIPT OR POSSESSION DOES NOT CONVEY ANY RIGHTS TO REPRODUCE OR DISCLOSE ITS CONTENTS, OR TO MANUFACTURE, USE, OR SELL ANYTHING THAT IT MAY DESCRIBE, REPRODUCE, DISCLOSURE, OR USE IN WHOLE OR IN PART WITHOUT THE SPECIFIC WRITTEN AUTHORIZATION OF CLOUDLINK IS STRICTLY FORBIDDEN. The information furnished herein is believed to be accurate and reliable to the best of our knowledge. However, CloudLink Technologies assumes no responsibility for its use, or for any infringements of patents or other rights of third parties resulting from its use. CloudLink Technologies reserves the right to, without notice, modify all or part of this document and/or change product features or specifications and shall not be responsible for any loss, cost, or damage, including consequential damage, caused by reliance on these materials. If you are in any doubt as to whether this is the correct version of the manual for a particular release, contact CloudLink Technologies.

Trademarks CloudLink is a registered trademark of CloudLink Technologies. All other brands or product names mentioned herein are for identification purposed only and may be trademarks and/or registered trademarks of their respective companies.

© Copyright 2015 All Rights Reserved. Document version 1.00

CloudLink Technologies 2680 Queensview Drive, Suite 150 Ottawa, Ontario, K2B 8J9, Canada Tel: +1 (613) 224-5995 Fax: +1 (613) 224-5410 Support Inquiries (866) 356-4060 [email protected] General Inquiries [email protected] Sales Inquiries [email protected]

Contents Chapter 1: Introduction .......................................................................................... 5 Audience and Purpose ................................................................................................................ 6 Document Conventions ............................................................................................................... 6 Terminology ................................................................................................................................. 6

Chapter 2: Deployment Considerations ................................................................ 7 Components of CloudLink SecureVM ......................................................................................... 7 Keystore Options .............................................................................................................................. 7

About the CloudLink Center Server Address .............................................................................. 8 About VM IP Addresses .............................................................................................................. 8 About Volume Encryption Policies............................................................................................... 9 Types of Volume Encryption Policies for Windows VMs .................................................................. 9 Automatic Re-encryption of Previously Encrypted Windows Disks ................................................ 10 Types of Volume Encryption Policies for Linux VMs ...................................................................... 10

About Pre-Boot Authorization .................................................................................................... 10 About CloudLink Center Server Clusters .................................................................................. 11 Deployment Scenario ................................................................................................................ 12 Deployment Workflow ................................................................................................................ 12 System Requirements ............................................................................................................... 13 CloudLink Center............................................................................................................................ 13 Virtual Machines ............................................................................................................................. 14

Chapter 3: Deploy and Configure CloudLink Center in the Cloud Service ...... 15 Add an Endpoint After Deployment ........................................................................................... 16

Chapter 4: Prepare for SecureVM Agent Deployment ....................................... 17 Access CloudLink Center .......................................................................................................... 17 Set Up SecureVM Licenses....................................................................................................... 18 Upload SecureVM Licenses ........................................................................................................... 19 Assign SecureVM Licenses ............................................................................................................ 19

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

3

Chapter 5: Deploy CloudLink SecureVM Agent to VMs..................................... 21 Deploy SecureVM Agent Using the Standard Installation ......................................................... 22 Download the SecureVM Agent Installer ........................................................................................ 23 Run the Installer ............................................................................................................................. 24

Deploy SecureVM Agent Using the Custom Installation for Windows VMs .............................. 25 Download the SecureVM Agent Installer for Windows ................................................................... 26 Add SecureVM Agent Configuration Information to the Windows Registry .................................... 26 Run the SecureVM Agent Installer ................................................................................................. 28

Deploy SecureVM Agent Using Microsoft Azure Virtual Machine Extensions for Windows VMs .................................................................................................................. 29 Deploy SecureVM Agent Using the Custom Installation for Linux VMs .................................... 31 Download the SecureVM Agent Deployment Package .................................................................. 31 Install the SecureVM Agent Deployment Package ......................................................................... 32 Configure SecureVM Agent ............................................................................................................ 32

Deploy SecureVM Agent Using Microsoft Azure Virtual Machine Extensions for Linux VMs ... 33 Verify Successful Deployment ................................................................................................... 34 On Windows VMs ........................................................................................................................... 34 On Linux VMs ................................................................................................................................. 34

Restart the SecureVM Agent Service ........................................................................................ 35

Chapter 6: Use the CloudLink Center Update Menu .......................................... 36

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

4

Chapter 1: Introduction Cloud computing offers significant benefits for deployment flexibility, infrastructure scalability, and cost-effective use of IT resources. It makes sense to take advantage of these benefits and deploy enterprise workloads in the cloud. However, cloud computing is based on a shared, multi-tenant compute, network and storage architecture where traditional security controls are not sufficient and data owners are responsible for securing sensitive data residing in the cloud to address privacy, regulatory compliance, and data remanence (data that may remain in the cloud after you’re no longer using it) requirements. CloudLink SecureVM secures sensitive information within virtual machines (VMs) across both public and private clouds. This solution provides boot partition (sometimes referred to as the “boot volume” in Windows environments) and additional disk encryption with pre-startup authorization for virtual machines hosted in the cloud by using native operating system encryption features: Microsoft BitLocker for Windows and eCryptfs for Linux. BitLocker and eCryptfs are proven and high performance volume encryption solutions widely implemented for physical machines. However, customers have not been able to use these solutions in the cloud. In the cloud, BitLocker cannot be used to encrypt the boot partition and eCryptfs alone cannot encrypt the boot partition. SecureVM is designed to solve this problem. SecureVM enables BitLocker and eCryptfs to be used in a multi-tenant cloud environment to encrypt the virtual machine boot partition and additional disks, and protect the integrity of the virtual machine itself against unauthorized modifications. SecureVM encrypts the VMs’ boot partition and disks with unique keys that are under the control of enterprise security administrator. No cloud administrators or other tenants on the cloud have access to the keys. Securing the VM also lets you define the security policy that must be adhered to in order for passing the pre-startup authentication to start a VM, including verification of the integrity of the VM. This offers protection against malicious tampering. SecureVM ensures that only trusted and verified VMs have the ability to run and access sensitive data residing in the cloud. As part of the SecureVM solution, CloudLink Center defines the pre-startup authentication policy, performs pre-startup authentication, and monitors all SecureVM Agents, events and logs.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

5

Audience and Purpose This guide is intended for system administrators managing CloudLink deployments in a Microsoft Azure environment. This guide assumes the administrator is experienced with image deployments in Microsoft Azure and IP networking. If you are new to Microsoft Azure, visit the Azure documentation webpage for useful getting started guides at http://azure.microsoft.com/en-us/documentation/. The purpose of this guide is to walk you through the deployment and configuration of CloudLink Center instances based on CloudLink SecureVM images available from the Microsoft® Azure™ Gallery. For information on how to manage your SecureVM environment after deployment, see the CloudLink Center Administration Guide for CloudLink SecureVM.

Document Conventions This guide uses the following conventions. Convention

Used for

Bold

User interface elements such as menus, tabs, and boxes, as well as command options. For example: Click the Administration tab.

Italics

Values. For example: Type the CloudLink Center server address (clc_address).

Terminology Some cloud providers use terms such as “VM instances” or “instances” to describe virtual machines or servers running in their cloud environments. This document uses the term “virtual machine” (VM) to reference virtualized servers.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

6

Chapter 2: Deployment Considerations This chapter describes the information you should be familiar with before deploying CloudLink SecureVM.

Components of CloudLink SecureVM CloudLink SecureVM consists of the following main components: CloudLink Center and CloudLink SecureVM Agent running on individual VMs. CloudLink Center is the management interface for SecureVM. It’s a web application used to manage VMs that belong to the SecureVM environment (those VMs on which SecureVM Agent has been installed). CloudLink Center communicates with the VMs over SSL. It manages the encryption keys used to secure the boot partition and additional disks for the VMs, configures the security policies, and monitors the security and operation events and collects logs. CloudLink SecureVM Agent is deployed on virtual machines to communicate with CloudLink Center for pre-startup authentication and decryption of BitLocker or eCryptfs encryption keys. CloudLink SecureVM is packaged as a virtual appliance which can be deployed: 

in the enterprise on VMware ESX or Microsoft Hyper-V.



from the Azure Gallery in a simple to deploy, self-contained image that get’s you up and running quickly. You install a CloudLink SecureVM image from the Azure Gallery and Microsoft will simply add the CloudLink SecureVM costs to your Azure bill as a separately identified charge. Search the Azure Gallery for CloudLink SecureVM for the different packages available depending on the number of VMs you need to encrypt.

Keystore Options CloudLink Center supports several keystore options: 

Local This internal keystore option stores the key is stored inside CloudLink Center. If you plan to use the local key store, ensure that CloudLink Center is deployed in a highly available configuration.



Microsoft Active Directory This is an external keystore. Ensure the Active Directory server is properly backed up to ensure the safety of the key.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

7



Amazon S3 This is an external keystore. Ensure that you have an Amazon Web Services (AWS) account.



RSA Data Protection Manager (DPM) This is an external keystore. See the RSA website for more information about RSA DPM.

You are responsible for your encryption keys and for ensuring that the appropriate access control and backup policies and procedures are in place to protect the keys against loss or theft. For example, if your keys become unavailable, you will not be able to access any data that was encrypted using those keys.

About the CloudLink Center Server Address There are many times when you specify the CloudLink Center server address. For example, you provide this address in the URL used to access the CloudLink Center user interface and in commands used to download installation files. We recommend that you specify the CloudLink Center server address as a hostname (in FQDN format, such as cloudlinkcenter1.acme.com), if the DNS has an entry for CloudLink Center. For information, see the CloudLink Center Administration Guide for CloudLink SecureVM. If you choose to use an IP address (such as 192.168.102.11), use a static one.

About VM IP Addresses By default, in Microsoft Azure environments, the IP address of a VM may change each time that it’s shutdown and restarted. A new IP address is assigned from the same subnet as the previous address. If the IP address for a VM registered with CloudLink Center changes, CloudLink Center may put the VM in the Pending state. To avoid having to manually accept VMs in the Pending state because of changed IP addresses, you can either: 

assign static IP addresses to VMs



change the CloudLink Center global policy such that VMs may be allowed to startup with changed IP addresses

For information about the Pending status, manually accepting startup for VMs with this status, and changing the CloudLink Center global policy, see the CloudLink Center Administration Guide for CloudLink SecureVM.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

8

Steps to assign a static IP address 1. Access the VM. If the VM isn’t pinned to your Startboard, you can browse the list of existing VMs. 2. In the Configure lens, click the IP Addresses part. 3. In the IP addresses blade, set Private IP Address to Static. 4. Type the IP address for the VM, where the address is within the current subnet. 5. Click Save. 6. Click Yes.

About Volume Encryption Policies During SecureVM Agent deployment, you must choose a volume encryption policy. The volume encryption policy determines whether the boot partition (Windows and Linux VMs), data disks (Windows VMs), or both the boot partition and data disks (Windows VMs) are automatically encrypted during SecureVM Agent deployment to a VM. For Windows VMs, the volume encryption policy also determines whether data disks added to the VM after deployment are encrypted automatically. For Windows VMs, you can change the volume encryption policy after deployment. For information, see the CloudLink Center Administration Guide for CloudLink SecureVM.

Types of Volume Encryption Policies for Windows VMs SecureVM provides the following volume encryption policies for Windows VMs: 

“Boot and All Data” encrypts the boot partition and all data disks during deployment. Data disks added after deployment are automatically encrypted. When specified in a command line, the keyword for this policy is BootAllData.



“Boot and Manual Data” encrypts the boot partition during deployment. Data disks available at the time of deployment or added after deployment must be manually encrypted. When specified in a command line, the keyword for this policy is BootManualData.



“All Data” encrypts all data disks during deployment. The boot partition is not encrypted. Data disks added after deployment are automatically encrypted. When specified in a command line, the keyword for this policy is AllData.



“Manual” performs no boot partition or data disk encryption during deployment. The boot partition and existing data disks at time of deployment, or any data disks added after deployment must be manually encrypted. When specified in a command line, the keyword for this policy is Manual.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

9

Note: Pre-boot authorization requires that the boot partition is encrypted. For information, see “About Pre-Boot Authorization”. For information about manually encrypting the boot partition or data disks after deployment, see the CloudLink Center Administration Guide for CloudLink SecureVM. Automatic Re-encryption of Previously Encrypted Windows Disks You can deploy SecureVM Agent to Windows VMs with disks already encrypted by BitLocker. During deployment, these disks are automatically decrypted and then re-encrypted to bring the disks under CloudLink Center management.

Types of Volume Encryption Policies for Linux VMs SecureVM provides two volume encryption policies for Linux VMs that determine whether the boot partition is encrypted during deployment: 

“Boot and Manual Data” encrypts the boot partition during deployment.



“Manual” does not encrypt the boot partition during deployment. The boot partition can be manually encrypted after deployment.

For both volume encryption policies, existing mounted devices at time of deployment or any mounted devices added after deployment must be manually encrypted. Note: Pre-boot authorization requires that the boot partition is encrypted. For information, see “About Pre-Boot Authorization”. For information about manually encrypting the boot partition or mounted devices after deployment, see the CloudLink Center Administration Guide for CloudLink SecureVM.

About Pre-Boot Authorization VM pre-boot authorization means that, as long as certain conditions are met, CloudLink Center automatically releases encryption keys to the VM when requested during startup. The conditions that must be met on VM startup include: 

The VM’s boot partition is encrypted. For information, see “About Volume Encryption Policies”. Note: If a VM’s boot partition is not encrypted, but one or more data volumes are encrypted, the VM is allowed to start up. After the VM starts up, CloudLink Center determines whether encryption keys for encrypted data volumes can be released automatically.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

10



The VM's IP address is identified in the Access Control List.



The VM’s IP address is the same as the last time it started or the Global Policy is configured to allow VMs to startup with different IP addresses.



The VM’s IP address is unique. For example, another VM is not online with a different serial number and the same IP address.



For Windows VMs, the integrity value calculated for the VM is the same as the last time it started.



The VM has not previously been removed or blocked.



The VM is not a clone of another VM that’s online with the same serial number.

If a VM does not meet all these conditions, it’s assigned the Pending state. For information about the Access Control List, Global Policy, removing or blocking a VM, cloned VMs, and the Pending status, see the CloudLink Center Administration Guide for CloudLink SecureVM.

About CloudLink Center Server Clusters A CloudLink Center server cluster provides for high availability in the event that one CloudLink Center server in the cluster becomes unavailable. For example, a server may become unavailable unexpectedly due to a connection issue. A server may also become unavailable during periods of planned maintenance, where a server is taken offline. A CloudLink Center server cluster is comprised of two CloudLink Center servers, where one server (referred to as the slave) is joined to another server (referred to as the master). For information about creating a CloudLink Center server cluster, see the CloudLink Center Administration Guide for CloudLink SecureVM.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

11

Deployment Scenario This guide describes the Azure Gallery CloudLink SecureVM image deployment model of CloudLink Center (SecureVM’s web-based management console). SecureVM Agent is deployed to individual instances hosted in Azure and VMs in other supported public cloud environments.

When deployed, SecureVM Agent replicates the VM networking configuration, as needed, to ensure it can communicate with CloudLink Center during the startup process. This replication includes the IP configuration for available network interfaces and any static routing information. If the networking configuration is changed after deployment, you must restart the SecureVM Agent service (see “Restart the SecureVM Agent Service”) to synchronize the configuration.

Deployment Workflow At a high-level, the following workflow is used to deploy CloudLink SecureVM: 1. Deploy CloudLink Center (see Chapter 3: Deploy and Configure CloudLink Center). 2. Prepare to deploy SecureVM Agent to VMs (see Chapter 4: Prepare for SecureVM Agent Deployment). 3. Deploy SecureVM Agent to VMs (see Chapter 5: Deploy CloudLink SecureVM Agent to VMs). Encryption based on the selected volume encryption policy begins automatically after installation.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

12

System Requirements CloudLink Center Ensure that the following requirements are met for CloudLink Center before deployment: 

You have a Microsoft Azure account.



You can use an existing key pair or create a key pair during the deployment process.



You have access to the CloudLink documentation, which is available on the CloudLink page in the Azure Gallery:





CloudLink SecureVM for Microsoft Azure Deployment Guide (this guide)



CloudLink Center Administration Guide for CloudLink SecureVM

A web browser, including Microsoft Internet Explorer™ 10 or higher, Google Chrome™ 25 or higher, or Mozilla Firefox™ 20 or higher TLSv1.2 must be enabled in your browser settings to connect to CloudLink Center. Some web browsers (such as Microsoft Internet Explorer 11 or higher, Google Chrome 30 or higher, Mozilla Firefox 27) enable this option by default.

The following table lists the network ports used by CloudLink SecureVM for various features. Port

TCP

UDP

Feature

Incoming 22

yes

SSH

161

yes

443

yes

CloudLink Center web access

8443

yes

CloudLink Center web access

1194

yes

SecureVM Agent communication

5432

yes

Clustering

8080

yes

SecureVM Agent download

yes

SNMP

Outgoing 7 123

yes

Syslog yes

Network Time Protocol

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

13

Port

TCP

UDP

Feature

162

yes

yes

SNMP

389

yes

514

Microsoft Active Directory integration yes

Syslog

Virtual Machines We are committed to adding support for additional platforms on an ongoing basis. For information about currently supported platforms, see the Release Notes. If you are deploying SecureVM into an existing Linux environment and you want to retrieve the SecureVM Agent installer using wget, you must install wget if it is not provided by default with your distribution. Note: You can also retrieve the SecureVM Agent installer directly from the CloudLink Center server.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

14

Chapter 3: Deploy and Configure CloudLink Center in the Cloud Service Before deploying CloudLink Center, ensure that you’re familiar with the deployment considerations, including system requirements (see Chapter 2: Deployment Considerations). CloudLink SecureVM images are available from the Microsoft Azure Portal. You deploy the CloudLink SecureVM image that best meets the number of VM instances that will require encryption. Access to CloudLink Center is available through port 8443. The required endpoint is automatically created during deployment. However, if you have problems accessing CloudLink Center after deployment, an issue with the endpoint may exist. You can manually create this endpoint to try and resolve the issue (see “Add an Endpoint After Deployment”). Steps 1. Sign in to the Azure Portal (https://portal.azure.com/). 2. From the Hub menu, click New. 3. Click Everything. 4. From the Virtual Machines blade, click Virtual machines. 5. On the Virtual Machines blade, select the CloudLink SecureVM image that best meets the number of VM instances that will require encryption. 6. In the CloudLink blade, click Create. 7. In the Create VM blade, define the parameters for this VM. When defining VM parameters, new blades open to display options. After defining the options for a blade, click OK to close it. 8. Click Create. 9. From the Offer details blade, review the CloudLink legal terms and privacy policy. 10. Click Purchase. After the VM is created, you can browse for it in the Virtual Machines blade.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

15

Add an Endpoint After Deployment If you don’t map an endpoint for CloudLink Center’s port 8443 during deployment, you can change this option at a later time. Steps 1. Access the CloudLink Center VM. If the VM isn’t pinned to your Startboard, you can browse the list of existing VMs. 2. In the Configure lens, click the Endpoints part. 3. In the Endpoints blade, click Add. 4. In the Add an endpoint blade, do the following: 

Type CloudLinkCenter as the endpoint.



Select protocol TCP.



Type 8443 as the public port.



Type 8443 as the private port.



Select the floating point IP Disabled.

5. Click OK. 6. Click Yes.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

16

Chapter 4: Prepare for SecureVM Agent Deployment After deploying and configuring CloudLink Center, you prepare to deploy SecureVM Agent to VMs. Preparation involves the following tasks: 

access CloudLink Center (see “Access CloudLink Center”)



if you deployed a Bring Your Own License CloudLink Center image, set up SecureVM licenses (see “Set Up SecureVM Licenses”)

Access CloudLink Center With CloudLink Center deployed, you can use a web browser to connect to it from the VM on which you plan to install SecureVM Agent, and log in. To log in, you need the: 

URL for CloudLink Center.



password for the secadmin user account. The first time that you log in to CloudLink Center, you’re prompted for the default password (the deployment ID), which you are then prompted to change. You can change the password for the secadmin user account at any time following first-time login. You may want to consider configuring Microsoft Active Directory integration so that you can access CloudLink Center with Windows domain credentials. For information about changing the secadmin password after first-time login or configuring Microsoft Active Directory integration, see the CloudLink Center Administration Guide for CloudLink SecureVM.

Steps 1. In the address bar of a web browser, type the URL for CloudLink Center. The format is: https://clc_address:8443 where clc_address represents the CloudLink Center server address (see “About the CloudLink Center Server Address”). https://192.168.145.60:8443 If you can’t connect to CloudLink Center, check that the endpoint for port 8443 is defined (see “Add an Endpoint After Deployment”).

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

17

2. From the CloudLink Center home page, type the user name (secadmin) and password (or default password for first-time login) to access CloudLink Center, and click Login. The password must include at least 10 characters.

3. If this is the first time you’ve logged in, type a new password and then retype it to confirm. Click Change Password.

Set Up SecureVM Licenses If you deployed a Bring Your Own License CloudLink Center image, you must set up SecureVM licenses. SecureVM license files determine the number of VMs that your organization can manage using CloudLink Center and the duration of the license. Before you can view and manage VMs in CloudLink Center, you must upload and assign one or more SecureVM license files. The number and type of license files you need depends on your SecureVM requirements. For deployment purposes, this topic describes the basic steps for uploading and assigning a license file. For more information about SecureVM licenses, see the CloudLink Center Administration Guide for CloudLink SecureVM.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

18

Upload SecureVM Licenses You upload licenses to make them available to CloudLink Center. Steps 1. Log in as a secadmin user. 2. From the Topology Tree, select CloudLink Center. 3. On the System tab, in the Options panel, select SecureVM License. 4. From the License Registration panel, click the Browse button

to access the File Upload dialog.

5. From the File Upload dialog, locate and select a license file, and click OK. 6. Click the Upload button to upload and display the license file in the License Pool panel. The license appears under the Unassigned heading. The license information for new licenses includes the Type, Platform, Limit (maximum number of VMs), and Duration in days. The Start Date and End Date are not displayed because the license has not been assigned.

Assign SecureVM Licenses You can assign a license that’s been uploaded to CloudLink Center (see “Upload SecureVM Licenses”). Steps 1. Log in to CloudLink Center as a secadmin or admin user. 2. From the Topology Tree, select CloudLink Center. 3. Click the SecureVM tab. 4. In the Options panel, select License.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

19

5. From the License Assignment panel, select a license from the Available Licenses list. Only valid licenses are displayed in the list. 6. Click the calendar icon

, and select a start date for the storage license (present or future).

The selected date is reflected in the Start Date field as YYYY-MM-DD. 7. Click Assign. In the License Usage panel, for each assigned license, the graph heading shows the number of VMs and the license expiry date. The graph shows the number of VMs and the valid dates for the license. Move the mouse over the starting point of a graph line to see the start date or over the end point to see the end date.

The number of VMs that can be registered with CloudLink Center equals the sum of the VMs for all licenses valid on any given date.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

20

Chapter 5: Deploy CloudLink SecureVM Agent to VMs For VM pre-startup authentication and decryption of BitLocker (Windows) or eCryptfs (Linux) encryption keys, SecureVM Agent must be deployed and running on the VM, and connected to CloudLink Center. You deploy CloudLink SecureVM Agent using a standard installation, a custom installation, or Microsoft Azure Virtual Machine extensions (for VMs deployed in the Azure portal only). 

The standard installation is an automated method that requires minimal intervention from you to complete. This installation is useful for deploying SecureVM Agent to VMs on an individual basis. Typically, you use this method when you want encryption, based on a specified encryption policy, to begin automatically once deployment is complete.



The custom installation requires more intervention from you, but provides more flexibility for deployment. Unlike the standard installation, the custom installation does not automatically register the VM with CloudLink Center or start the encryption process. This installation is useful for 

preparing a VM image for encryption without starting the encryption process, allowing VM clones to be deployed with a single restart



deploying SecureVM Agent to VMs before deploying CloudLink Center



deploying with configuration management tools

Choose the standard or custom installation based on the level of automation or points of manual intervention you require. At a high level, deployment includes the following processes: 1. The VM may automatically restart several times to install and configure BitLocker or eCryptfs, and to create a reserved partition for secure storage of volume encryption keys. 2. The VM is registered with CloudLink Center. 3. Encryption, based on the specified encryption policy (see “About Volume Encryption Policies”), begins.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

21

The following table describes the deployment processes for each type of installation and for each operating system. This table is intended to help you determine the appropriate installation based on your deployment requirements.

Standard Installation

Custom Installation

SecureVM Agent for Windows

SecureVM Agent for Linux

1. Download the installer.

1. Download the installer.

2. Run the installer to complete installation and configuration.

2. Run the installer to complete installation and configuration.

1. Download the installer.

1. Download the operating-specific deployment package.

2. (Optional) Configure the volume encryption policy and CloudLink Center server address. 3. Run the installer to complete installation. If you did not provide configuration information in Step 2, you provide it when running the installer.

2. Install the package. 3. Configure the volume encryption policy and CloudLink Center server address.

For deploying SecureVM Agent to VMs through the Microsoft Azure Portal, Virtual Machine extensions provide a convenient, automated installation method. During deployment the Boot and Manual volume encryption policy is applied automatically. Regardless of the installation method you choose, ensure that the network is configured so that CloudLink Center and the VMs to which SecureVM Agent is deployed can communicate (for example, ensure they all exist on the same subnet or virtual network). You can view registered VMs in CloudLink Center and perform management operations such as changing their volume encryption policies. For information, see the CloudLink Center Administration Guide for CloudLink SecureVM.

Deploy SecureVM Agent Using the Standard Installation Deploying CloudLink SecureVM Agent to Windows or Linux VMs using the standard installation involves the following tasks: 1. Downloading the installer using the CloudLink Center interface or directly from the server (see “Download the SecureVM Agent Installer”). 2. Running the installer from the command line to complete installation and configuration (see “Run the Installer”).

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

22

Download the SecureVM Agent Installer The SecureVM Agent installer is available from CloudLink Center. For Windows, the installer is provided in the securevm.bat file. For Linux, the installer is provided in the securevm.sh script. Two methods are available for downloading the installer. You can: 

log in to CloudLink Center and download the installer using the CloudLink Center user interface



download the installer from the CloudLink Center server without logging in

If you are not responsible for completing the installation, provide the downloaded software to the appropriate person. Steps to download using the CloudLink Center user interface 1. Log in to CloudLink Center (see “Access CloudLink Center”). 2. Select the SecureVM tab. 3. From the Options panel, select Setup. 4. From the Downloads panel, right-click the installer (securevm.bat or securevm.sh) and click Download. This example shows that the securevm.bat installer will be downloaded.

5. Choose Save File. For Windows, the installer is downloaded to your Downloads folder. For Linux, the installer is downloaded to the current folder.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

23

Steps to download the installer directly from the CloudLink Center server 1. In a web browser, type the following: 

For Windows: http://clc_address:8080/cloudlink/securevm



For Linux: http://clc_address:8080/cloudlink/securevm

where clc_address is the CloudLink Center server address (see “About the CloudLink Center Server Address”). 2. Choose Save File. For Linux, use the file name securevm. For Windows, the installer is downloaded to your Downloads folder. For Linux, the installer is downloaded to the current folder. Tip for Linux: If installed, you can use wget, to download the installer directly from the CloudLink Center server. When specifying the installer location, type http://clc_address:8080/cloudlink/securevm.

Run the Installer After downloading the SecureVM Agent installer from CloudLink Center, you run it from the command line, providing the CloudLink Center server address and the volume encryption policy you want applied. For Linux, you can optionally specify whether you want to force the VM to restart when installation is complete. A restart is required before encryption, based on the applied volume encryption policy, begins automatically. Steps for Windows VMs 1. In a command window, go to the folder where you downloaded the SecureVM Agent installer. By default, the installer is downloaded to the Downloads folder. 2. From the command line, type the following: securevm.bat /S clc_address /p volume_encryption_policy where 

/S clc_address specifies the CloudLink Center server address (see “About the CloudLink Center Server Address”).

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

24



/p volume_encryption_policy identifies the volume encryption policy (see “About Volume Encryption Policies”) to be applied during deployment. The value is one of: 

BootAllData



BootManualData



AllData



Manual

3. Wait for the installation to complete. Step for Linux VMs 

From the command line on the VM, in the location where the installer was downloaded (by default, to the current folder), type the following: sudo sh securevm -S clc_address [-B] [–r] where 

-S clc_address specifies the CloudLink Center server address (see “About the CloudLink Center Server Address”).



-B identifies Boot with Manual Data volume encryption policy (see “About Volume Encryption Policies”) is to be applied during deployment.



-r forces the VM to restart after registration with CloudLink Center. If you do not specify this option, encryption does not begin until the next time that the VM is restarted. You cannot access the VM until encryption is complete.

Deploy SecureVM Agent Using the Custom Installation for Windows VMs Deploying CloudLink SecureVM Agent to Windows VMs using the custom installation involves the following tasks: 1. Download the SecureVM Agent installer (see “Download the SecureVM Agent Installer for Windows”). 2. (Optional) Add the SecureVM Agent configuration information to the Windows Registry Editor (see “Add SecureVM Agent Configuration Information to the Windows Registry”). 3. Run the SecureVM Agent installer (see “Run the Installer“).

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

25

Download the SecureVM Agent Installer for Windows The SecureVM Agent installer is available from CloudLink Center, and is downloaded to the Downloads folder. Steps 1. Log in to CloudLink Center (see “Access CloudLink Center”). 2. Select the SecureVM tab. 3. From the Options panel, select Setup. 4. From the Downloads panel, right-click securevm-windows-x64.msi and click Download.

5. Choose Save File. The installer is downloaded to your Downloads folder.

Add SecureVM Agent Configuration Information to the Windows Registry As a deployment option, you may want to specify the information necessary to configure SecureVM Agent before running the .msi file. If you don’t need to specify this configuration information prior to running the .msi file, you’ll define it when running the .msi from the command line (see “Run the SecureVM Agent Installer”). In the Windows Registry, you define the: 

CloudLink Center server address (see “About the CloudLink Center Server Address”)



SecureVM volume encryption policy If the SecureVM volume encryption policy is not set using the Windows Registry, the Manual policy is applied to VMs.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

26

Steps 1. On the VM, from a command prompt window, type regedit. 2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\CloudLink Technologies Inc\SecureVM. 3. To configure the SecureVM volume encryption policy, do the following: 

Add a registry key named ProfileId with the type DWORD.



Set the value of the ProfileId registry key as follows: 

For Boot and Manual Data, set the value to 101



For All Data, set the value to 102.



For Boot and All Data, set the value to 103.



For Manual, set the value to 104.

4. To configure the CloudLink Center address: 

Add a registry key named Server with the type REG_SZ.



Set the value of the Server registry key the CloudLink Center server address (for example, 209.87.232.41 or cloudlinkcenter.mycompany.com).

5. Save and close the registry. Here’s an example of the ProfileId registry key and value:

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

27

Run the SecureVM Agent Installer After downloading the SecureVM Agent installer (the securevm-windows-x64.msi file) from CloudLink Center, you can run it from the command line or using Windows Installer tools. Steps 1. Go to the folder where the SecureVM Agent installer is located. 2. From the command line, type one of the following, depending on whether you’ve already configured SecureVM Agent (see “Add SecureVM Agent Configuration Information to the Windows Registry”): 

If you have not configured SecureVM Agent: msiexec /i securevm-windows-x64.msi [CLOUDLINKCENTER=clc_address] [VOLUMEENCRYPTIONPOLICY=volume_encryption_policy]



If you’ve configured SecureVM Agent: msiexec /i securevm-windows-x64.msi [CLOUDLINKCENTER=clc_address]

where 

CLOUDLINKCENTER=clc_address specifies the CloudLink Center server address (see “About the CloudLink Center Server Address”). If you don’t specify the CloudLink Center server address, the VM is not registered with CloudLink Center.



VOLUMEENCRYPTIONPOLICY=volume_encryption_policy identifies the volume encryption policy (see “About Volume Encryption Policies”) to be applied during deployment. The value is one of: 

BootAllData



BootManualData



AllData



Manual

If you don’t specify the CloudLink Center server address and have not already configured SecureVM Agent (see “Add SecureVM Agent Configuration Information to the Windows Registry”), no encryption is initiated as part of the deployment process.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

28

3. When the SecureVM Setup wizard is displayed, click Install.

4. When the wizard completes, click Finish. 5. Wait for the installation to complete. The VM automatically restarts one or more times. 6. Restart the CloudLink SecureVM service (see “Restart the SecureVM Agent Service”).

Deploy SecureVM Agent Using Microsoft Azure Virtual Machine Extensions for Windows VMs You can deploy CloudLink SecureVM Agent to a Windows VM that you’ve already configured in the portal. You deploy using Microsoft Azure VM Extensions through the Azure Portal or PowerShell. After deployment is complete, you can remotely log in to the VM to confirm successful installation. Ensure that you are aware of the considerations related to VM IP addresses (see “About VM IP Addresses”). Steps to install through the Portal 1. Sign in to the Azure Portal (https://portal.azure.com/). 2. From the Hub menu, browse to the Windows VM where you want to deploy SecureVM Agent. 3. In the Virtual Machines blade, in the Configure lens, click Extensions. 4. In the Extensions blade, click Add. 5. In the New Resource blade, select CloudLink SecureVM Agent. 6. In the CloudLink SecureVM Agent blade, click Create. 7. In the Add Extension blade, type the server address for CloudLink Center and click Create.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

29

Tip: After deployment is complete, you can remotely log in using the user name and password for this VM. Steps to install through PowerShell 1. Create a JSON configuration file contain the CloudLink Center server address and, optionally, the initial volume encryption policy (see “About Volume Encryption Policies”) to be applied during deployment. The volume encryption policy value is one of:  BootAllData  BootManualData  AllData  Manual For example: { "CloudLinkCenter": "", "VolumeEncryptionPolicy": "BootAllData" }

Note: All available configuration options are visible if you execute the following Powershell command: $ext = Get-AzureVMAvailableExtension -Publisher CloudLink.SecureVM ExtensionName CloudLinkSecureVMWindowsAgent $ext.SampleConfig

2. Save the config JSON file to a file on your local disk (for example, C:\CloudLink.config). 3. Run the following in PowerShell: # Get the VM $vm = Get-AzureVM –ServiceName $yourservicename –Name $yourvmname # Add CloudLink SecureVM Agent to the Virtual Machine $vm.GetInstance().ProvisionGuestAgent = $true Set-AzureVMExtension -Publisher CloudLink.SecureVM -ExtensionName CloudLinkSecureVMWindowsAgent -Version 3.* -VM $vm.VM -PublicConfigPath c:\cloudlink.config # Update the VM which will install the CloudLink SecureVM Agent Update-AzureVM -Name $yourvmname -ServiceName $yourservicename -VM $vm.VM

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

30

Deploy SecureVM Agent Using the Custom Installation for Linux VMs Deploying SecureVM Agent using the custom installation involves the following tasks: 1. Download the SecureVM Agent deployment package (see “Download the SecureVM Agent Deployment Package”). 2. Install the SecureVM Agent deployment package (see “Install the SecureVM Agent Deployment Package“). 3. Configure SecureVM Agent (see “Configure SecureVM Agent“).

Download the SecureVM Agent Deployment Package SecureVM Agent deployment packages are available as deb or rpm files that you download from CloudLink Center to the current folder. Steps 1. Log in to CloudLink Center. 2. Select the SecureVM tab. 3. From the Options panel, select Setup. 4. From the Downloads panel, right-click the deployment package you want to use and click Download.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

31

5. Choose Save File. The deployment package is downloaded to the current folder.

Install the SecureVM Agent Deployment Package After downloading the deployment package for your operating system from CloudLink Center, you install the package using the package manager for your platform.

Configure SecureVM Agent Installation of the deployment package (see “Install the SecureVM Agent Deployment Package”), installs the svm installer, which provides two svm subcommands for configuring SecureVM Agent. Both commands register the VM with CloudLink Center during configuration. Only one command applies the Boot with Manual Data volume encryption policy (see “About Volume Encryption Policies”) during deployment. For information about manually encrypting the boot partition (if the Boot with Manual Data volume encryption policy is not used), manually encrypting mounted devices (which neither command encrypts), or svm subcommand options and variables, see the CloudLink Center Administration Guide for CloudLink SecureVM. Steps to install SecureVM Agent and encrypt the boot partition 1. Type the following command: svm [–v ] [–s ] –BR –S clc_address 2. Restart the VM. You cannot access the VM until encryption is complete. Step to install SecureVM Agent without encrypting the boot partition 

Type the following command: svm [–v ] [–s ] –R –S clc_address

For these commands: 

-v uses verbose mode.



-s uses script mode to disable any interactive prompts.



-B encrypts the boot partition



-R registers the VM with CloudLink Center

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

32



-S clc_address represents the CloudLink Center server address (see “About the CloudLink Center Server Address”)

Deploy SecureVM Agent Using Microsoft Azure Virtual Machine Extensions for Linux VMs You can deploy CloudLink SecureVM Agent to a Linux VM that you’ve already configured in the portal. You deploy using Microsoft Azure VM Extensions through the Azure Portal or PowerShell. After deployment is complete, you can remotely log in to the VM to confirm successful installation. Ensure that you are aware of the considerations related to VM IP addresses (see “About VM IP Addresses”). Steps to install through the Portal 1. Sign in to the Azure Portal (https://portal.azure.com/). 2. From the Hub menu, browse to the Windows VM where you want to deploy SecureVM Agent. 3. In the Virtual Machines blade, in the Configure lens, click Extensions. 4. In the Extensions blade, click Add. 5. In the New Resource blade, select CloudLink SecureVM Agent. 6. In the CloudLink SecureVM Agent blade, click Create. 7. In the Add Extension blade, type the server address for CloudLink Center and click Create. Tip: After deployment is complete, you can remotely log in using the user name and password for this VM. Steps to install through PowerShell 1. Create a JSON configuration file contain the CloudLink Center server address and, optionally, encrypt the boot drive (see “About Volume Encryption Policies”) to be applied during deployment. For example: { "CloudLinkCenter": "", "EncryptBoot": "True" }

Note: All available configuration options are visible if you execute the following Powershell command: $ext = Get-AzureVMAvailableExtension -Publisher CloudLink.SecureVM ExtensionName CloudLinkSecureVMLinuxAgent $ext.SampleConfig

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

33

2. Save the config JSON file to a file on your local disk (for example, C:\CloudLink.config). 3. Run the following in PowerShell: # Get the VM $vm = Get-AzureVM –ServiceName $yourservicename –Name $yourvmname # Add CloudLink SecureVM Agent to the Virtual Machine $vm.GetInstance().ProvisionGuestAgent = $true Set-AzureVMExtension -Publisher CloudLink.SecureVM -ExtensionName CloudLinkSecureVMLinuxAgent -Version 3.* -VM $vm.VM -PublicConfigPath c:\cloudlink.config # Update the VM which will install the CloudLink SecureVM Agent Update-AzureVM -Name $yourvmname -ServiceName $yourservicename -VM $vm.VM

Verify Successful Deployment You can confirm that SecureVM Agent has successfully installed by logging in to CloudLink Center and viewing the VM’s status. For information about managing VMs, including viewing their status, see the CloudLink Center Administration Guide for CloudLink SecureVM. You can also confirm successful deployment from the VM.

On Windows VMs You can confirm that SecureVM Agent has successfully installed using the SecureVM Agent Shield icon in the Windows taskbar. The tooltip displays a message indicating that the VM is connected.

On Linux VMs You can confirm successful installation from the VM command line. Step 

From the command line, type: sudo service svmd status

A message indicates that the SecureVM daemon (svmd) is running.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

34

Restart the SecureVM Agent Service There are two deployment-related circumstances in which you must restart the SecureVM Agent service: 

during the custom installation of the SecureVM Agent on a Windows VM



after deployment, if the networking configuration for a Windows or Linux VM with an encrypted boot partition is changed

Step for a Windows VM custom installation or networking change 

Do one of the following: 

From the VM’s command line, type the following two commands: netstop SecureVMSvc netstart SecureVMSvc



From the Services panel, restart the SecureVM Service service.

Step for a Linux VM networking configuration change 

From the VM’s command line, type the following two commands: service network restart svm

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

35

Chapter 6: Use the CloudLink Center Update Menu After configuring CloudLink Center, every time you log in using the VM console, the Update menu is displayed.

If you encounter problems with your SecureVM deployment, CloudLink Technical Support may request you to log into the CloudLink Center instance console. SSH to the CloudLink Center VM instance (Linux) to access the Update Menu. The Update menu includes these options:

Option

Description

Summary

Displays a summary of CloudLink Center settings.

Diagnostics

Intended only for use under the direction of CloudLink Support.

CloudLink SecureVM 3.3 for Microsoft Azure

Deployment Guide

36

Suggest Documents

Pexip Infinity and Microsoft Azure Deployment Guide

Pexip Infinity and Microsoft Azure Deployment Guide
Read more
Deployment Guide for Cisco CSR 1000v Series on Microsoft Azure

Deployment Guide for Cisco CSR 1000v Series on Microsoft Azure
Read more
Deployment Guide. Microsoft SharePoint 2013

Deployment Guide. Microsoft SharePoint 2013
Read more
SharePoint. Microsoft SharePoint. Deployment Guide

SharePoint. Microsoft SharePoint. Deployment Guide
Read more
Microsoft Exchange 2010 Deployment Guide

Microsoft Exchange 2010 Deployment Guide
Read more
Deployment Guide Microsoft SharePoint 2013

Deployment Guide Microsoft SharePoint 2013
Read more
Configuring SonicOS for Microsoft Azure

Configuring SonicOS for Microsoft Azure
Read more
The Essential Guide to. Licensing Microsoft Azure

The Essential Guide to. Licensing Microsoft Azure
Read more
Microsoft Partner Incentives. Azure Incentive Guide

Microsoft Partner Incentives. Azure Incentive Guide
Read more
GlobalSign & Microsoft Azure Key Vault Integration Guide

GlobalSign & Microsoft Azure Key Vault Integration Guide
Read more
Fortinet FortiGate Virtual Appliance for Microsoft Azure Quick Start Guide

Fortinet FortiGate Virtual Appliance for Microsoft Azure Quick Start Guide
Read more
Veeam Cloud Connect: Manual configuration guide for Microsoft Azure

Veeam Cloud Connect: Manual configuration guide for Microsoft Azure
Read more
--Microsoft-- --Windows Azure--

--Microsoft-- --Windows Azure--
Read more
Microsoft Azure Government

Microsoft Azure Government
Read more
Microsoft Azure Syllabus

Microsoft Azure Syllabus
Read more
Load Balancing Microsoft OCS Deployment Guide

Load Balancing Microsoft OCS Deployment Guide
Read more
Deploying Infoblox vnios for Microsoft Azure

Deploying Infoblox vnios for Microsoft Azure
Read more
Rearchitecting the Microsoft licensing platform for Azure

Rearchitecting the Microsoft licensing platform for Azure
Read more
Cisco Application Networking for Microsoft SharePoint Solutions Deployment Guide

Cisco Application Networking for Microsoft SharePoint Solutions Deployment Guide
Read more
Fanatical Support for Microsoft Azure Service Overview

Fanatical Support for Microsoft Azure Service Overview
Read more
Microsoft Dynamics AX. Microsoft Dynamics AX. Deployment Guide

Microsoft Dynamics AX. Microsoft Dynamics AX. Deployment Guide
Read more
Microsoft SharePoint Server and SnapManager for SharePoint Deployment Guide

Microsoft SharePoint Server and SnapManager for SharePoint Deployment Guide
Read more
Implementing Microsoft Azure Infrastructure Solutions

Implementing Microsoft Azure Infrastructure Solutions
Read more
Automating Microsoft Azure with PowerShell

Automating Microsoft Azure with PowerShell
Read more