Disk Encryption

Page last updated:

Warning: Pivotal Cloud Foundry (PCF) v2.4 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to secure Pivotal Cloud Foundry (PCF) VMs by encrypting their disks or rotating their disk encryption keys.

Introduction

Disk encryption protects data integrity if computing resources are stolen physically.

Disk encryption for VMs works at the IaaS level. An IaaS encrypts disks when it first creates them, or re-encrypts them when it rotates encryption keys. To encrypt disks in PCF, you must:

  1. Configure the IaaS to encrypt disks when it creates or re-creates them.

  2. Trigger BOSH to re-create the existing VMs that use the disks, and create encrypted disks from now on for new VMs.

The procedures below detail how to do this for each IaaS.

Disks You Can Encrypt on a PCF VM

  • The root file system for the VM. For BOSH-created VMs, this comes from the stemcell.
  • Ephemeral disk for the VM.
  • Persistent disk for the VM.

Which VMs Each Procedure Encrypts

For each IaaS, there are two disk encryption procedures, which encrypt different VMs:

  • The BOSH Director procedure encrypts the disks used by the BOSH Director VM when you first create a PCF environment.
  • The BOSH-Deployed VM procedure encrypts disks for the VMs that the BOSH Director creates, after BOSH has been deployed.

Encrypt Disks or Rotate Keys

You can use the same procedure to either encrypt disks for the first time or rotate encryption keys.

For BOSH-deployed VMs, some IaaSes let you associate a policy with the BOSH process that automatically encrypts all disks BOSH creates. On AWS, BOSH must explicitly tell the IaaS to encrypt each disk that it creates, and passes in an encryption key. The following table summarizes these differences:

IaaS How configured How encrypted User can supply key BOSH stores key ID
AWS User pastes key ARN (ID) into Ops Manager BOSH tells IaaS to encrypt disks it creates Yes Yes
Azure (with Managed Disks) User configures IaaS to associate encrypt policy with BOSH IaaS automatically encrypts disks it creates for BOSH No No
Azure (with Storage Accounts) User configures IaaS to associate encrypt policy with BOSH IaaS automatically encrypts disks it creates for BOSH Yes No
vSphere User configures IaaS to associate encrypt policy with BOSH IaaS automatically encrypts disks it creates for BOSH Yes No

Azure

Azure provides virtual disk space through Azure Storage accounts. In some regions, Azure offers a Managed Disks service for storage accounts, which allocates disk space flexibly on demand.

Managed Disks vs Unmanaged Storage Accounts

For disk encryption, Pivotal recommends Managed Disks storage where available. With Managed Disks, encryption keys are managed by the IaaS, so you need not (and cannot) supply your own keys. You also do not need to re-create VMs after encrypting disks or rotating encryption keys, because the IaaS propagates the change to all VMs automatically.

Encrypt Azure Disks

Follow the steps below to initiate or rotate disk encryption for BOSH-deployed VMs on Azure:

  1. Log in to Azure Portal and follow the Encryption workflow to encrypt new and existing PCF VMs.

  2. For unmanaged Storage Account disks, follow the Recreate BOSH-Deployed Disks procedure below to propagate the change to existing VMs.

    • With Managed Disks, you can skip this step.

For more information about how BOSH integrates with IaaS-level disk encryption on Azure, see Encryption under Microsoft Azure in the BOSH documentation.

vSphere v6.5 or Later

vSphere supports disk encryption in versions 6.5 and later for encrypted VMs. Follow the steps below to initiate or rotate disk encryption for BOSH-deployed VMs on vSphere v6.5+:

  1. Log in to vCenter and follow the Encrypt an Existing Virtual Machine or Virtual Disk procedure in the VMware Docs.

  2. Follow the Recreate BOSH-Deployed Disks procedure below to propagate the change to existing VMs.

For more information about how BOSH integrates with IaaS-level disk encryption on vSphere, see Encryption under vSphere in the BOSH documentation.

AWS (Ops Manager v2.0 and later)

On AWS, you can use your Amazon account key to encrypt Linux EBS volumes, or supply your own key.

For instructions on how to encrypt BOSH-deployed VMs and the Ops Manager VM on AWS, see Configuring Amazon EBS Encryption.

For more information about how BOSH integrates with IaaS-level disk encryption on AWS, see Encryption under Amazon Web Services in the BOSH documentation.

Recreate BOSH-Deployed Disks

Unless you are using Azure Managed Disks, you need to manually recreate disks on BOSH-deployed VMs after you have added or rotated disk encryption keys. To manually recreate disks, do the following:

  1. Configure Ops Manager to encrypt VM root, ephemeral disk, and persistent disk on next deploy:

    • Root File System: To recreate the root file system for VMs, you must upload a new stemcell. If you are already running the latest stemcell, you can:
      • Wait until a new stemcell comes out, typically less than two weeks.
      • Call Pivotal Support if propagating disk encryption is urgent.
    • Ephemeral Disks: In the Director Config pane of the Ops Manager tile, enable the Recreate All VMs checkbox.
    • Persistent Disks
      • PCF v2.3 and later: In the Director Config pane of the Ops Manager tile, enable the Recreate All Persistent Disks checkbox.
      • PCF v2.2 and earlier: In the Resource Config pane of all tiles, change the disk or VM sizes of all VMs that you need to encrypt.
  2. Click Review Pending Changes and Apply Changes.