How to decide whether to take Trusted Launch or not?

Question

How to decide whether to take Trusted Launch or not?

K. Kong 151

I was trying to create a new Ubuntu VM, and had to make a choice on Security Type: Standard or Trusted Launch Virtual Machines.

I read https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch but still am unable to find out what am I getting and losing if I select Trusted Launch.

I just need a simple web server running Node. What are the pros and cons of using Trusted Launch? What are the security risks if I use Standard?

I have been using AWS (LightSail) for many years, and I suppose that is the equivalent of Standard?

Is Trusted Launch chargeable?

2 answers

Your answer

Answer 1

Hi @K. Kong

Trusted Launch is a security feature that provides enhanced protection against advanced and persistent attack techniques for Azure Virtual Machines. It is designed to protect against bottom-of-the-stack threats through attack vectors such as rootkits, bootkits, and kernel-level malware.

When you select Trusted Launch for your Ubuntu VM, it will be deployed as a Gen2 Azure VM with enhanced security features. These features include secure boot, virtual trusted platform module (vTPM), and measured boot. Secure boot ensures that only trusted software is loaded during the boot process, while vTPM enables attestation by measuring the entire boot chain of your VM. Measured boot computes the hash of the next objects in the chain and stores the hashes in the Platform Configuration Registers (PCRs) on the vTPM. Measured boot records are used for boot integrity monitoring.

The main advantage of using Trusted Launch is that it provides an additional layer of security against sophisticated threats. However, it is important to note that Trusted Launch is currently in public preview and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

If you select Standard for your Ubuntu VM, it will be deployed as a regular Azure VM without the enhanced security features of Trusted Launch. However, this does not mean that your VM is not secure. Azure provides a range of security features and best practices that you can use to secure your VM, such as network security groups, Azure Security Center, and Azure Firewall.

Regarding the cost, the Trusted Launch VM document states it is at "No additional cost to existing VM pricing."
User's image

In summary, if you require enhanced security for your Ubuntu VM, you can select Trusted Launch. However, if you do not require this level of security, you can select Standard, use other Azure security features, and best practices to secure your VM.

Please click "Accept as answer" if this helps.

Answer 2

Dillon Silzer 57,831 Volunteer Moderator

Hello,

Here are the benefits of using trusted launch:

Securely deploy virtual machines with verified boot loaders, OS kernels, and drivers.
Securely protect keys, certificates, and secrets in the virtual machines.
Gain insights and confidence of the entire boot chain's integrity.
Ensure workloads are trusted and verifiable.

"At the root of trusted launch is Secure Boot for your VM. This mode, which is implemented in platform firmware, protects against the installation of malware-based rootkits and boot kits. Secure Boot works to ensure that only signed operating systems and drivers can boot. It establishes a "root of trust" for the software stack on your VM. With Secure Boot enabled, all OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers."

Cited from https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch

If this is helpful please accept answer.

K. Kong 151 Reputation points

2023-09-26T06:22:42.9566667+00:00

deleted
K. Kong 151 Reputation points

2023-09-26T06:25:57.8366667+00:00

Thanks. Does it mean that the Ubuntu image provided is automatically a verified boot loader?

After clearing the OS installation hurdle, is usage the same as in Standard? Are there certain limitations? Can I just install applications such as Node and NPM packages freely without having to subject them to some clearance?
Prrudram-MSFT 28,281 Reputation points Microsoft Employee Moderator

2023-10-13T18:19:14.6166667+00:00

K. Kong Yes, when you select Trusted Launch for your Ubuntu VM, it will be deployed with a verified boot loader. The verified boot loader ensures that only trusted software is loaded during the boot process, which provides an additional layer of security against sophisticated threats.

After clearing the OS installation hurdle, the usage of Trusted Launch is similar to Standard.

Regarding the installation of applications such as Node and NPM packages, you can install them freely without having to subject them to clearance. However, it is important to follow best practices for securing your VM and applications. For example, you should keep your VM and applications up to date with the latest security patches, use strong passwords, and restrict network access to only what is necessary. You can also use Azure Security Center to monitor and manage the security of your VM and applications

Share via

How to decide whether to take Trusted Launch or not?

2 answers

Your answer