Overview

Gemalto/SafeNet ProtectV for the Microsoft Azure secures sensitive data by encrypting all data within an entire virtual machine (VM) located on all attached storage volumes. Once the ProtectV Client Image is installed and the client VM is rebooted, the encrypting process begins. To check on the encryption status, an encryption status report can be requested for up-to-date stats on each volume and partition.

Note: ProtectV always encrypts the entire VM. No mechanism is provided to select individual volumes/partitions for encryption.

This document provides instructions to help you install, configure and enroll a ProtectV Gateway VM in Microsoft Azure. The ProtectV Gateway is selected from one of three support levels: 50, 100 or 200 client virtual instances. This document also provides instructions on deploying the ProtectV Client Image on VM instances. Instructions for generating an encryption status report on a Windows of Linux client VM is provided later in this document.

ProtectV for Microsoft Azure consists of the following components; refer to the diagram below:

  • Gemalto/Safenet ProtectV Management Portal – Hosted by Gemalto/SafeNet and used to enroll and manage all ProtectV Gateway VMs and Client VM Instances. It interfaces to the Gemalto/SafeNet Key Manager for managing VM encryption keys.
  • Gemalto/SafeNet Key Manager – Hosted by Gemalto/SafeNet and supports the ProtectV Management Portal
  • ProtectV Gateway VM – Available on the Microsoft Azure Marketplace and is available at three support levels: 50, 100 or 200 nodes (client VM instances). It interfaces with the Gemalto/Safenet ProtectV Management Portal for installing/enrolling the Client VM Image on Client VMs and for key management.
  • ProtectV Client VM Image – Available on the Microsoft Azure Marketplace. It is installed on each Client VM Instance to be secured.
  • Client VM Instances – VMs that can be encrypted by ProtectV when ProtectV Client VM Image is installed and then enrolled via the ProtectV Gateway VM.
  • Microsoft Azure VM Management Portal – Used to create and configure ProtectV Gateway VMs and Client VM Instances.
  • Microsoft Azure Marketplace – Source for the ProtectV Gateway VM and Client VM Image.

    alt tag

Difference between ProtectV for Microsoft Azure and prior versions of ProtectV

ProtectV for Microsoft Azure is the first offering in the 3rd generation of ProtectV solutions. It is offered as a service. 1st and 2nd generation version of ProtectV are offered only as products. ProtectV for Microsoft Azure is also the first time ProtectV functionality is being made available for the Azure platform. ProtectV 1st and 2nd generation products only supported AWS and VMWare environments.

There are major structural and functional differences between 3rd generation and prior generations of ProtectV. While ProtectV for Microsoft Azure is offered as a service - future 3rd generation versions of ProtectV may also be offered as products.

The following provides a summary of the major differences in ProtectV for Microsoft Azure for customers coming from Protect V 2.x.

Client-Server Architecture

3rd Generation ProtectV implements a client-server architecture where the central management platform acts as a server - and encrypted virtual machines act as clients to that server. This means that encrypted virtual machines may make unsolicited requests for key material from the manager. Prior versions of ProtectV required an administrator to instruct the manager to send a key to a waiting virtual machine ("boot to os") or for the manager to continually poll virtual machines ("unattended reboot") to see if a key is required.

This change greatly reduces latency and improves responsiveness of the overall solution - and correctly authenticated Virtual Machines can be delivered keys instantly thus providing virtually no lag/overhead/stall in the boot process.

KeySecure

ProtectV for Microsoft Azure does not use SafeNet KeySecure to hold the customer keys for the virtual machines. This is because ProtectV for Microsoft Azure is provided as a service - and as such - customer keys are stored in a multi-tenant encrypted key vault. Future standalone 3rd generation ProtectV products, as well as iterations of ProtectV for Microsoft Azure as a Service will allow SafeNet KeySecure to act as the key vault.

Microsoft Azure Key Vault

ProtectV for Microsoft Azure provides the option for customers to add wrapping keys from their Azure Key Vault to the ProtectV solution. This extra layer of security injects key(s) from an independent key source (Key Vault) after the key has left the ProtectV service and before it is delivered to the encrypted virtual machine (i.e. in to the ProtectV Gateway). This technique ensures that it is only the combination of keys from ProtectV and from Key Vault that are used to encrypt/decrypt virtual machines.

The system allows for key rotation of the Azure Key Vault supplied keys - and automatically selects the correct key when needed.

ProtectV Client Software

The ProtectV client software from 1st and 2nd generation versions of ProtectV are not compatible with 3rd generation versions of ProtectV (including ProtectV for Microsoft Azure).

In ProtectV for Microsoft Azure - the ProtectV Client software is only available as an "extension" from the Microsoft Azure Marketplace. Unlike 1st and 2nd generations - there is no option to upload custom client software to the manager - and customers may only install the ProtectV client as an extension. You may install the client extension on Windows machines via a point-and-click interface in the market place or via shell scripts for either Windows or Linux instances. Please refer to the section “Deploying the ProtectV Client Image” for more information.

Instances, Images and Clones

1st and 2nd generation ProtectV solutions only consider the management of instances. 3rd generation considers the management of both instances and their parent _image(s). This is a more natural and familiar way of reasoning about ProtectV in the context of a cloud service such as Microsoft Azure.

In ProtectV for Microsoft Azure, customers define policy on an image. The policies are to allow or deny keys and to allow or deny scaling. If the policy for an image is set to deny keys - then no instance derived from that image will have access to a key. If the policy is set to allow keys - then instances will have access to their keys if their own instance policy is set to allow. Thus, customers can choose to allow or deny at the image level as well as at the instance level.

The policy for scaling of an image tells ProtectV for Microsoft Azure whether new instances derived from that image may be granted access. When set to deny - customers can effectively limit the number of instances that can request keys to any number (for example it can be set to 1 if only a single instance is desired). In 1st and 2nd generation ProtectV solutions the term "clone" is used. A clone is considered a copy of another instance. However, this is not the correct way to reason about virtual machines - and therefore the concept of clones is not used in ProtectV for Microsoft Azure (or any 3rd generation). Instances may or may not be "auto-scaled" from an image. There is no limit whatsoever on the number of auto-scaled instances that may be derived from an image.

1st generation ProtectV supported instance cloning up to a limit of 99 clones. 2nd generation ProtectV enhanced this by adding the concept of a second type of clone (a "free clone") that allowed for any number of cloned instances - however those instances could not support individual changes in configuration. There is no restriction on the configuration of "auto-scaled" instances in ProtectV for Microsoft Azure or 3rd generation ProtectV solutions in general.

ProtectV Gateway

A new concept in 3rd generation ProtectV solutions is the ProtectV Gateway. The Gateway is an instance(s) that act as a proxy for key material between the ProtectV clients and the ProtectV Manager. This concept does not exist in 1st or 2nd generation ProtectV.

The Gateway can be located anywhere in the Azure service - but only functions when it can reach the manager (which in ProtectV for Microsoft Azure is a public address) and protected virtual machines within an Azure service can reach the gateway.

The ProtectV for Microsoft Azure gateway may only be launched from the Azure Marketplace and there are three types - 50, 100 and 200. The number refers to the number of simultaneously connected virtual machines each gateway can support. In ProtectV for Microsoft Azure, it is the Gateway that carries a per-hour billing charge for the ProtectV service (there are no other licenses required for the client software or for access to the management interface/service).

ProtectV clients are automatically aware of all the Gateways associated with the account and will attempt to connect to the first available slot they can find. Gateways in different network segments may therefore not be available to virtual machines in other segments.

Since ProtectV clients will automatically connect to the first available slot in a gateway - there is a natural redundancy in the system. Suppose, for example, the scenario where a customer operates 200 virtual machines. In this case, the customer can deploy three gateways that each supports 100 clients. If any one of the three gateway instances fails, service will not be interrupted.

Gateways do not store any information to disk and therefore if they are shut down - are of no further use.

Gateways require very little processing or network performance to operate efficiently or quickly - therefore small instance types are recommended even for Gateways designed to support 200 clients.

Redundancy

ProtectV for Microsoft Azure as a service is a fully RESTful service making use of container technology. As a stateless system, the service easily scales through the automatic provisioning of additional ProtectV Manager containers. Persistence is maintained using cloud based redundant and scalable RDBMS that ensures both availability and redundancy.

Performance

2nd generation ProtectV can support the provisioning of keys to up to 2,000 instances in one hour. ProtectV for Microsoft Azure can support the provisioning of keys in a very small fraction of that time.

Unattended Reboot

The concept of establishing an "unattended reboot" setting in ProtectV for Microsoft Azure does not exist and is removed completely from 3rd generation ProtectV systems. ProtectV for Microsoft Azure is ready to deliver keys instantly on request at any time so long as requests comply with policy. This is a significant enhancement on 2nd generation ProtectV solutions.

Token Enrollment

ProtectV for Microsoft Azure configures Gateways and Images by means of enrollment tokens. These tokens are secrets generated by ProtectV for Microsoft Azure manager that are meant to be manually copied at initialization of a new Gateway or a new image. These tokens bind these instances to the user or team account or scope. In the case of Gateway tokens - these are single use tokens. Image tokens can be re-used if desired. Customers can revoke Gateway tokens at any time. Active Gateways using tokens that are subsequently revoked will cease to function.

Teams and User Management

ProtectV for Microsoft Azure does not maintain users or their passwords and relies entirely on Microsoft services for user authentication using authentication federation technologies. Users may access the service with a Microsoft Live account; an Azure account if their AD Domain has been verified (referred to as a Microsoft "Work or School Account", or with a private Azure AD credential using Teams.

The scope of any logged in user is governed by how they are authenticated in to the system. The scope controls what virtual machines they can see and manage. If a user logs in using a Microsoft Live credential - their scope will be limited to their account only. This means that even if within the same Azure service there are multiple sets of ProtectV managed and encrypted virtual machines - users will only see and be able to manage machines within their scope.

Azure administrators will have either a Microsoft Live account or a Microsoft "Work or School" account as their primary means of accessing Azure. This same credential should be used when accessing ProtectV for Microsoft Azure as an administrator. When doing this - it is not necessarily useful to set up and manage encrypted machines - since only that person will ever be able to view or manage those instances. Instead - administrators should log in to ProtectV for Microsoft Azure with these administrative credentials in order to create "Teams". A Team relates to a scope within ProtectV that multiple people can access. Teams are configured via the ProtectV for Microsoft Azure Management Portal (https://protectv.safenet-inc.com) by configuring an AD instance in Azure for the team you wish to create. Therefore, if an administrator wanted to create a group of users to manage one set of machines - they would create a new AD within Azure and add users to that AD. Then they would configure a new ProtectV for Microsoft Azure team with the WSFED (SAML) details of that AD instance in ProtectV. A single user can belong to multiple AD's and therefore multiple teams.

Prerequisites

Access to SafeNet Technical Support

Make sure that you have access to login credentials for SafeNet's Technical Support Customer Portal at https://serviceportal.safenet-inc.com to open support tickets if necessary. If you do not have access to this portal, contact SafeNet Support at:

Country Phone Number
United States +1-(800)-545-6608
International +1-(410)-931-7520

A Microsoft Live Account

You will need a Microsoft Live account. If you do not have one, you can create one here: https://signup.live.com.

Admin Access to your VMs

Before you can encrypt the partition(s) on your existing VMs, you will need Admin access to install ProtectV Client Image.

Retrieving ProtectV Enrollment Tokens

  1. Log in to ProtectV Management Portal using your Microsoft Live account.

    Use: (https://protectv.safenet-inc.com)

  2. Once logged in, select the Tokens tab and retrieve two enrollment tokens:

    • Gateway Enrollment Token – for enrolling/deploying a ProtectV Gateway VM
    • Image Enrollment Token – for enrolling/deploying the ProtectV Client Image on one or more VM instances
  3. Click on Get a New Gateway Enrollment Token

    Example

      ID: 8de00077-9f5a-464c-8900-1bf7c6629f90
    
      Token: fezLtYh5yQ3ewaMOWrTopaWrAmKhl7Ab
    
      Created: 2015-06-16T18:46:28.785052434Z
    

    Note that the Gateway token is displayed only when it is created. Therefore, store it at this time. If you lose this token before deploying your ProtectV Gateway (described in the following section), simply create a new one.

  4. Click on Get a New Image Enrollment Token

    Example

      ID: bb5f260f-2dc8-4ba5-853f-a8c6d343eedc
    
      Token: 2ffD8hyrlq8QniFUptmadfrXC5zeR5zX
    
      Created: 2015-06-10T14:39:52.776526959Z
    

    This token is used to enroll/deploy many user VM instances, so it is always available under the Tokens tab.

Deploying a ProtectV Gateway

Use the following procedure to deploy a ProtectV Gateway VM on Microsoft Azure.

Create a ProtectV Gateway VM

  1. Sign in to Microsoft Azure

  2. Go to the Microsoft Azure Management Portal (https://manage.windowsazure.com/)

  3. Click on: + NEW, then move cursor over COMPUTER, VIRTUAL MACHINE and click on VIRTUAL MACHINE

  4. Click on FROM GALLERY

  5. In the ‘Choose an Image’ page, under FEATURED, scroll down to one of the following images:

    Gemalto/SafeNet ProtectV Gateway for Microsoft Azure, 50 Nodes (supports up to 50 VMs)

    Gemalto/SafeNet ProtectV Gateway for Microsoft Azure, 100 Nodes (supports up to 100 VMs)

    Gemalto/SafeNet ProtectV Gateway for Microsoft Azure, 200 Nodes (supports up to 200 VMs)

Configure the Gateway

  1. Click on the arrow at the lower-right for the first Virtual machine configuration page and fill-in each field.

  2. Click on the arrow again for the second configuration page and fill-in each field.

  3. Click on the arrow again for the third configuration page and select any additional App Services to install.

    Note that ProtectV Gateway VM also requires the ‘VM Agent’ App service to be installed.

  4. Click on the checkmark √ at the lower-right to complete the configuration and launch the VM.

Enroll the Gateway

Gateway IP Address/Hostname

When you enroll a ProtectV Gateway using logosctl you can use the (-a) option to list the address your client VMs will use to connect to it. This can be an IP address or it can be a hostname, which is embedded in the certificate the gateway is issued. If you don’t enter anything, the ProtectV Gateway will use its local internal IP address as default.

If you try to connect a client VM to your ProtectV Gateway using an incorrect IP address/hostname you will get an SSL connection error. To resolve this error, either reboot and re-enroll the gateway using the (-a) option to specify the IP address/hostname you want to use, or use the gateway’s default internal address.

You can change the gateway IP address using PowerShell. Below is an example using 100.116.4.95 as gateway internal address. .\pv.ps1 -install -vmname dp-l1 -servicename dp-service -os linux -publicconfig '{"gatewayURLs" : ["https://100.116.4.95"], "registrationToken" : "buW87Vmz14gV1qh3HeZXJAcqlm4zXytX"}'

Steps to Enroll the Gateway

  1. SSH into the new logos gateway using: DNS name:22

  2. Log in to the gateway and enter: sudo logosctl

      MDM@PVGW-100:~$ sudo logosctl
      Logos is the key distribution gateway
    
      Usage:
        logosctl [command]
    
      Available Commands:
        ping        Check that the gateway is running
        enroll      Enroll the agent with the server
        secret      Manages gateway secrets
        help        Help about any command
    
      Flags:
        -h, --help=false: help for logosctl
    
      Use "logosctl help [command]" for more information about a command.
    
      MDM@PVGW-100:~$ 
    
  3. Verify that the logos gateway is available.

      MDM@PVGW-100:~$ sudo logosctl ping
      Welcome to Logos!
      This is a 100 seat agent, 0 in use
      Ping succeed!
    
      MDM@PVGW-100:~$ 
    
  4. Help on enrolling the gateway:

      MDM@PVGW-100:~$ sudo logosctl help enroll
      Enroll the gateway with the server.  This enables the gateway to distribute keys.
      Enrolling requires an enrollment token.
    
      Usage: 
        logosctl enroll [enrollment token] [flags]
    
      Examples:
      logosctl enroll Y5PYQ2nzJwqRPu3Z5tnDJXmCkT6TRqU3
    
      Flags:
        -a, --address="100.92.86.135": IP or full hostname that clients will use to connect to this gateway.
        -h, --help=false: help for enroll
    
      Additional help topics:
    
        logosctl ping   Check that the gateway is running
        logosctl secret Manages gateway secrets
        logosctl help   Help about any command
    
      MDM@PVGW-100:~$
    
  5. Enroll the gateway using the gateway token secret available from the ProtectV Management Portal.

        MDM@PVGW-100:~$ sudo logosctl enroll fezLtYh5yQ3ewaMOWrTopaWrAmKhl7Ab
    

When enrollment is successful, ‘Gateway successfully enrolled!’ is returned. After successful deployment of the gateway, it is listed under the Gateways tab of the ProtectV Management Portal.

  1. Help on managing gateway secrets:

        MDM@PVGW-100:~$ sudo logosctl help secret
        Manages gateway secrets.  Secrets are mixed into keys to add an extra layer of security.
    
        Usage: 
          logosctl secret [flags]
          logosctl secret [command]
    
        Available Commands: 
          add         Adds a secret to the gateway
          delete      Deletes secret from gateway
    
        Flags:
          -h, --help=false: help for secret
    
        Additional help topics:
    
          logosctl ping   Check that the gateway is running
          logosctl enroll Enroll the gateway with the server
          logosctl help   Help about any command
    
        Use "logosctl help [command]" for more information about a command.
    
        MDM@PVGW-100:~$
    

Host-Proof Your User Keys

If you prefer to host-proof the keys hosted by the SafeNet Key Service, you can add a secret to the keys before they are used to encrypt your VMs. This can be done by using an Azure Key Vault. Go to the following link to get started with creating/using an Azure Key Vault.

https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/

Here is an overview of the process for creating an Azure Key Vault.

  1. Create a Resource Group

  2. Create a Key Vault

  3. Add a secret to the Key Vault. This secret can be any text string you want. At the end you will get a secret ID: https://testkv.vault.azure.net:443/secrets/testsecret/dfd8c531071b4fccbaacacc068c1ba4e

  4. Create application

    1. Authorize the application to use the key or secret.

    2. From the Application get: “client-id” fe6f9bbd-0ea6-4e89-bc60-145d6cf67849 “View endpoints” for the app, and get the “OAUTH 2.0 Token Endpoint” https://login.microsoftonline.com/d27d849e-e487-4b0e-a54c-a71e67687d10/oauth2/token?api-version=1.0

  5. Create a key in the application – you will get a “key” (7O1XNMrVya64N4T5Au3hHyFiU5yRySwq5qGGTC/IkrM=)

      root@logos-272-2:~# sudo logosctl help secret add
      Adds a gateway secret.  Currently only Azure Key Vault secrets are supported.
      Usage:
      logosctl secret add --service <"azure"> --appid <app client id> --appkey <app key> --tokenurl <url> --id <secret id> [flags]
      Examples:
      logosctl secret add --service=azure --appid=fe6f9bbd-0ea6-4e89-bc60-145d6cf67849 --appkey=xrA2maiBTpZXnYJF9ww6Lqu/mtctzy6kmXrx/cC+7io= --tokenurl=https://login.microsoftonline.com/d27d849e-e487-4b0e-a54c-a71e67687d10/oauth2/token?api-version=1.0 --id=https://testkv.vault.azure.net:443/secrets/testsecret/dfd8c531071b4fccbaacacc068c1ba4e?api-version=2015-02-01-preview
      Flags:
            --appid="": Azure application client id
            --appkey="": Azure application secret key
        -h, --help=false: help for add
            --id="": Azure key id - including key verison and API version
            --service="": Name of secret service.   Currently only azure (for Azure Key Vault) is supported
            --tokenurl="": Azure application token url endpoint
    

Deploying the ProtectV Client Image

ProtectV Client Image is available as a Azure VM Extension. For basic instructions on working with Azure VM Extensions, refer to: https://msdn.microsoft.com/en-us/library/azure/dn850373.aspx

  1. If you already have VM(s) avialable to protect, skip this step.

    How to Capture a Linux Virtual Machine to Use as a Template https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-capture-image/

    How to Capture a Windows Virtual Machine to Use as a Template https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-capture-image-windows-server/

  2. VMs must have the Azure Virtual Machine Agent (VM Agent) installed before installing the ProtectV Client Extension. If it is not installed, refer to: Install the VM Agent on an existing Azure VM http://blogs.msdn.com/b/mast/archive/2014/04/08/install-the-vm-agent-on-an-existing-azure-vm.aspx

  3. Install and configure Azure PowerShell if not already installed. In not already installed, see "How to install and configure Azure PowerShell" https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/

  4. Get information of ProtectV Client Extension.

    To list information for ProtectV Client Windows Extension:

    Get-AzureVMAvailableExtension ProtectVClientWindowsExtension
    

    To list information for ProtectV Client Linux Extension:

    Get-AzureVMAvailableExtension ProtectVClientLinuxExtension
    
  5. ProtectV Client Extension can be installed using the following PowerShell command.

    Parameter Set: SetByExtensionName
    Set-AzureVMExtension [-ExtensionName] <String> [-Publisher] <String> [-Version] <String> [[-ReferenceName] <String> ] [[-PublicConfiguration] <String> ] [[-PrivateConfiguration] <String> ] [[-Disable]] [[-Uninstall]] [[-PublicConfigKey] <String> ] [[-PrivateConfigKey] <String> ] -VM <IPersistentVM> [ <CommonParameters>]
    

    To learn about the Set-AzureVMExtension command, refer to: https://msdn.microsoft.com/en-us/library/azure/dn722522.aspx

Sample script for installing ProtectV Client Extension

A sample script is provided here to help you install the ProtectV Client Extension. This script can also be used for verifying the status of the installation.

param (
    [string]$subscriptionname,
    [string]$vmname,
    [string]$servicename,
    [string]$publishername,
    [string]$os,
    [string]$version,
    [string]$publicconfig,
    [string]$restart
)
#terminate on errors, otherwise exceptions won't be caught
$ErrorActionPreference = "Stop"

$cmd = $args[0]

if ($vmname -eq '') {
    Write-Error "Invalid arguments. Specify VM Name"
    Exit 1
}
if ($servicename -eq '') {
    # VM and Service name are same
    $servicename = $vmname
}
# Microsoft azure subscription name where the VM is hosted
if ($subscriptionname -eq '') {
    $subscriptionname='Pay-As-You-Go'
}
$publishername='Gemalto.SafeNet.ProtectV'
if ($os.StartsWith('l', "CurrentCultureIgnoreCase")) {
    $extensionname='ProtectVClientLinuxExtension'
}
else {
# Use Windows extension by default
    $extensionname='ProtectVClientWindowsExtension'
}
if ($version -eq '') {
    $version='3.0'
}
# ProtectV client registration configuration includes the ProtectV Gateway URL and the ProtectV Client Image Secret.
if ($publicconfig -eq '') {
    # modify this as per your current configuration
    # $publicconfig='{"gatewayURLs" : ["https://<url of the protectv gateway>"], "registrationToken" : "<protectv image enrollment token>"}'
}
try {
    $registrationconfig = ConvertFrom-Json $publicconfig;
    if(($registrationconfig.gatewayURLs -eq $null) -or ($registrationconfig.registrationToken -eq $null)) {
        Write-Host "Invalid configuration $($publicconfig). Missing coniguration gatewayURLs or registrationToken"
        Exit 2
    }
} catch {
    Write-Host "Invalid JSON format configuration $($publicconfig)"
    Exit 3
}
# Select the subscription
Select-AzureSubscription –SubscriptionName $subscriptionname

if($cmd -eq '-install') {
    $vm = Get-AzureVM –Name $vmname –ServiceName $servicename
    if($vm) {
        Write-Host "VM $($vmname) with Service $($servicename) is in $($vm.Status) status"
        if ($vm.Status -ne 'ReadyRole') {
            Write-Host "Start VM $($vmname)"
            Start-AzureVM –Name $vmname –ServiceName $servicename
            while (($vm = Get-AzureVm -ServiceName $servicename -Name $vmanme).Status -ne 'ReadyRole') {
                sleep 5
                Write-Host "VM $($vmname) is in $($vm.Status) status. Waiting to be in ReadyRole status..."
            }
        }
        $vm = Set-AzureVMExtension –VM $vm.VM –ExtensionName $extensionname –Publisher $publishername –Version $version -PublicConfiguration $publicconfig
        Update-AzureVM –VM $vm –Name $vmname –ServiceName $servicename
    }
    else {
        Write-Error "VM $($vmname) with Service $($servicename) does not exists."
    }
}
elseif ($cmd -eq '-status') {
    Write-Host "$($extensionname) extension installation status on VM $($vmname)"
    $start = Get-Date
    do {
        $vm = Get-AzureVm -ServiceName $servicename -Name $vmanme
        Write-Host "VM $($vmname) is in $($vm.Status) status."
        if($vm.Status -ne 'ReadyRole') {
            Write-Host "Waiting to be in ReadyRole status..."
            sleep 10
        }
        else {
            foreach ($extensionstatus in $vm.ResourceExtensionStatusList) {
                if($extensionstatus.HandlerName.EndsWith($extensionname)) {
                    $statusmessage = $extensionstatus.ExtensionSettingStatus.FormattedMessage.Message
                    Write-Host "$($extensionname) extension status: $($extensionstatus.Status). Status message: $($statusmessage)"
                    if($statusmessage -eq 'Registration file successfully created') {
                        Write-Host $extensionname "extension is installed successfully"
                        # Restart the Linux VM for encryption after installation
                        if($extensionname -eq $linuxextensionname -and $restart.StartsWith('y', "CurrentCultureIgnoreCase")) {
                            Write-Host "Restart VM $($vmname)"
                            Restart-AzureVM -ServiceName $servicename -Name $vmname
                        }
                        Exit
                    }
                    break
                }
            }
            Write-Host "Waiting for extension status..."
            sleep 10
        }
        $now = Get-Date
    } while (($now - $start).TotalSeconds -le 600)
    Write-Host "$($extensionname) extension installation takes more than usual time. Verify the status from the azure portal or vm"
}
else {
     Write-Error "Unknown command $($cmd)"
}

The arguments used in the script are as follows:

Argument Value(s) or Example Description
$subscriptionname Example: Pay-As-You-Go User’s Microsoft subscription name
$publishername Value: Gemalto.SafeNet.ProtectV Fixed value.
$os Windows, Linux ProtectV Client Extension for Windows or Linux (Ubuntu 14.04 LTS)
$version Value: 3.0 Latest version of ProtectV for Azure.
$vmname Example: my-vm-name Specify the existing virtual machine name.
$servicename Example: my-service-name Specify the existing service name of the VM.
$publicconfig Example:,'{"gatewayURLs" : ["ProtectV Gateway URL"], "registrationToken" : "Image enrollment token from ProtectV management console"}' JSON formatted configuration:,·,Value of gatewayURLs is a list of one or more ProtectV Gateways.,Secret portion of the ProtectV Image Enrollment Token
$restart yes, no Reboots the VM. Default is no. Applicable only for Linux.
  1. Install the ProtectV Client Extension

    To install the ProtectVClientWindowsExtension:

    .\protectv.ps1 –install –vmname my-pv-win-vm –os windows -publicconfig <configuration>
    

    To install the ProtectVClientLinuxExtension:

    .\protectv.ps1 –install –vmname my-pv-lin-vm –os linux -publicconfig <configuration>
    

    Note: For 'configuration' provide the Public Configuration for the ProtectV Client Extension.

**Sample Result for the -install command**
            OperationDescription                 OperationId                          OperationStatus
            --------------------                 -----------                          ---------------
            Update-AzureVM                       3c44edce-26dc-b185-bd47-41ccab0baa22 Succeeded
This means that the installation of the ProtectV Client Extension was successfully started.
  1. To verify the status of the extension installation:

    For Windows:

    .\protectv.ps1 –status –vmname my-pv-win-vm –os windows
    

    For Linux:

    .\protectv.ps1 –status –vmname my-pv-ubuntu-vm –os linux –restart yes
    

    Note: The VM will be encrypted on a system reboot. The Linux VM will not be accessable until the encryption has completed. The -restart option is only applicable for Linux. Specify yes If you want the VM to restart automatically after extension is installed.

    Sample Result for the -status command:

    ProtectVClientWindowsExtension extension installation status on VM MikeWin-1
    VM MikeWin-1 is in RoleStateUnknown status.
    Waiting to be in ReadyRole status...
    VM MikeWin-1 is in ReadyRole status.
    ProtectVClientWindowsExtension extension status:" Installing ". Status message: "  "
    Waiting for extension status...
    VM MikeWin-1 is in ReadyRole status.
    ProtectVClientWindowsExtension extension status:" Installing ". Status message: "  "
    Waiting for extension status...
    VM MikeWin-1 is in ReadyRole status.
    ProtectVClientWindowsExtension extension status:" Ready ". Status message: " Registration file successfully created "
    ProtectVClientWindowsExtension extension is installed successfully
    

Check the VM Encryption Status

Microsoft Windows VM

After ProtectV Client Image is installed and the VM has rebooted, it will take some time for each partition to be encrypted. To check on the encrypting status:

  1. Remote desktop to the VM.

  2. Go to folder C:\Program Files\SafeNet ProtectV

  3. Double click on the local ProtectV management console application, “LocalMC”.

    The Encryption Status window appears showing the percent encrypted for each drive/partition.

    alt tag

Linux VM

After ProtectV Client Image is installed and the VM has rebooted, it will take some time for each partition to be encrypted. To check on the encrypting status:

  1. SSH to the VM.

  2. Execute the following command.

    $ sudo pvinfo
    

    alt tag

Configuring Image and Instance Policies

Encryption Key Policies

The Encryption Key policy can be controlled at the ProtectV Client Image level and each VM Instance level . If the policy is set to Yes (allow keys), then instances will have access to encryption keys if their own instance policy is also set to allow. If the policy for an image is set to No (deny keys), then no instance derived from that image will have access to a key.

Control of the Key Policies is done via the Images tab at the ProtectV for Microsoft Azure Management Portal (https://protectv.safenet-inc.com). At the Image level, select (Yes/No) under Enabled column. At the Instance level, select (Yes/No) under the Authorize column.

Note: Partitions may also be de-authorized individually by clicking on their Refuse It! button.

Autoscale Policy

The Autoscale policy controls whether any new VM instances created from an existing VM instance using the Microsoft Azure VM Management Portal will use the same encryption key as the original VM instance.

If Autoscale is On (default setting), any new VM instances created from an existing VM instance using the will be supported using the same encryption key as the original VM instance. If Autoscale is Off , any new VM instances created from an existing VM instance will not be supported by the same encryption key as the original VM instance. However, any existing VM instances created when Autoscale was On are not impacted; i.e. existing key support continues for these instances.

Control of the Autoscale policy is done via the Images tab at the ProtectV for Microsoft Azure Management Portal (https://protectv.safenet-inc.com).

Configuring Redundant Gateways (HA)

Use of two or more redundant ProtectV Gateways is recommended in a High Assurance environment.

For example, if you enroll a ProtectV Gateway with support for 100 simultaneously connected VMs each, it is recommended that you enlist another gateway with support for at least 50 VMs. Then, when you create you VM instances, simply list both gateways in the agrument $publicconfig. Refer to section: “Deploying the ProtectV Client Image” above. In this configuration, if either gateway instance fails or becomes unreachable, service will continue on the other gateway if it is reachable.

How to Decrypt a Client VM

ProtectV does not provide a mechanism to decrypt an entire VM. However, to archive the same result, perform the following steps:

  1. Create a new unencrypted VM using the same specifications as the encrypted VM if needed.
  2. Log in to the encrypted VM to access the data files.
  3. Copy all volumes and partitions from the encrypted VM to the new unencrypted VM.
  4. Once all volumes and partitions have been copied to the unencrypted VM, delete the encrypted VM.

ProtectV Supported Platforms

ProtectV currently supports the following VM Operating Systems:

Windows

Windows Server 2012 R2

Linux

Ubuntu