Disk Encryption

Page last updated:

This topic describes how to secure Pivotal Platform VMs by encrypting their disks or rotating their disk encryption keys.

Overview

Disk encryption protects data integrity if computing resources are stolen physically.

Disk encryption for VMs works at the IaaS level. An IaaS encrypts disks when it first creates them, or re-encrypts them when it rotates encryption keys. To encrypt disks in Pivotal Platform, you must:

  1. Configure the IaaS to encrypt disks when it creates or re-creates them.

  2. Trigger BOSH to re-create the existing VMs that use the disks, and create encrypted disks from now on for new VMs.

The procedures below describe how to do this for each IaaS.

Disks You Can Encrypt on a Pivotal Platform VM

The disks you can encrypt on a Pivotal Platform VM are:

  • The root file system for the VM. For BOSH-created VMs, this comes from the stemcell.

  • Ephemeral disk for the VM.

  • Persistent disk for the VM.

Which VMs Each Procedure Encrypts

For each IaaS, there are two disk encryption procedures, which encrypt different VMs:

  • The BOSH Director procedure encrypts the disks used by the BOSH Director VM when you first create a Pivotal Platform environment.

  • The BOSH-deployed VM procedure encrypts disks for the VMs that the BOSH Director creates, after BOSH has been deployed.

Encrypt Disks or Rotate Keys

You can use the same procedure to either encrypt disks for the first time or rotate encryption keys.

For BOSH-deployed VMs, some IaaSes let you associate a policy with the BOSH process that automatically encrypts all disks BOSH creates. On AWS, BOSH must explicitly tell the IaaS to encrypt each disk that it creates, and passes in an encryption key. The table below summarizes these differences:

IaaS How configured How encrypted User can supply key BOSH stores key ID
AWS User pastes key Amazon Resource Name (ARN) into Pivotal Operations Manager BOSH tells IaaS to encrypt disks it creates Yes Yes
Azure (with managed disks) User configures IaaS to associate encrypt policy with BOSH IaaS automatically encrypts disks it creates for BOSH No No
Azure (with Azure Storage) User configures IaaS to associate encrypt policy with BOSH IaaS automatically encrypts disks it creates for BOSH Yes No
vSphere User configures IaaS to associate encrypt policy with BOSH IaaS automatically encrypts disks it creates for BOSH Yes No

Azure

Azure provides virtual disk space through Azure Storage accounts. In some regions, Azure offers a managed disks service for storage accounts, which allocates disk space flexibly on demand.

For more information about Azure Storage, see Introduction to Azure Storage in the Microsoft Azure documentation. For more information about managed disks, see Introduction to Azure managed disks in the Microsoft Azure documentation.

Managed Disks versus Unmanaged Storage Accounts

For disk encryption, VMware recommends managed disk storage where available. With managed disks, encryption keys are managed by the IaaS, so you do not supply your own keys. You also do not need to re-create VMs after encrypting disks or rotating encryption keys, because the IaaS propagates the change to all VMs automatically.

Encrypt Azure Disks

To initiate or rotate disk encryption for BOSH-deployed VMs on Azure:

  1. Log in to Azure Portal.

  2. Encrypt new and existing Pivotal Platform VMs by following the procedure in Azure Disk Encryption for virtual machines and virtual machine scale sets in the Microsoft Azure documentation.

  3. For unmanaged Storage Account disks, see Recreate BOSH-Deployed Disks to propagate the change to existing VMs. If you are using managed disks, you can skip this step.

For more information about how BOSH integrates with IaaS-level disk encryption on Azure, see Encryption in Microsoft Azure in the BOSH documentation.

vSphere

vSphere v6.5 and later support disk encryption for encrypted VMs. To initiate or rotate disk encryption for BOSH-deployed VMs on vSphere v6.5 or later:

  1. Log in to vCenter.

  2. Follow the procedure in Encrypt an Existing Virtual Machine or Virtual Disk in the VMware documentation.

  3. Follow the procedure in Recreate BOSH-Deployed Disks procedure to propagate the change to existing VMs.

For more information about how BOSH integrates with IaaS-level disk encryption on vSphere, see Encryption in vSphere in the BOSH documentation.

AWS

On AWS in Ops Manager v2.0 and later, you can either use your Amazon account key to encrypt Linux EBS volumes or supply your own key.

To encrypt BOSH-deployed VMs and the Ops Manager VM on AWS, see Configuring Amazon EBS Encryption.

For more information about how BOSH integrates with IaaS-level disk encryption on AWS, see Encryption in Amazon Web Services in the BOSH documentation.

Recreate BOSH-Deployed Disks

Unless you are using Azure managed disks, you must manually recreate disks on BOSH-deployed VMs after you have added or rotated disk encryption keys. To manually recreate disks:

  1. Configure Ops Manager to encrypt VM root, ephemeral disk, and persistent disk on next deploy:

    • Root File System: To recreate the root file system for VMs, you must upload a new stemcell. If you are already running the latest stemcell, you can:
      • Wait until a new stemcell comes out. This typically takes less than two weeks.
      • If propagating disk encryption is urgent, contact Pivotal Support.
    • Ephemeral Disks: In the Director Config pane of the Ops Manager tile, enable the Recreate All VMs checkbox.
    • Persistent Disks
      • PCF v2.3 and later: In the Director Config pane of the Ops Manager tile, enable the Recreate All Persistent Disks checkbox.
      • PCF v2.2 and earlier: In the Resource Config pane of all tiles, change the disk or VM sizes of all VMs that you need to encrypt.
  2. Click Review Pending Changes.

  3. Click Apply Changes.