Protect disk content

Question

I have a Linux image on marketplace. With the Azure BYOL listing, users can get this Linux image and create a virtual machine from it.

The virtual machine created from this Linux image is guarded by credentials, so that no one can access the disk and the intellectual property saved on disk can be protected.

However when user deletes the virtual machine, the corresponding disk will not be deleted.
Then this disk can be attached to any other Linux VM within same resource group.

It will expose everything on this disk.

Is there a possible way to prevent my disk from attaching to any other Linux VM?

My current idea is to encrypt partitions on my disk, such as by using tool dm-encrypt, but I'm also looking for alternative solutions which can leverage some sort of cloud native functions.

I understand that the same issue also happens on physical environment, i.e. anyone can take the physical hard disk and attach to any other physical Linux to access the content.
But I'd like to focus on virtual cloud environment and assume I have other ways to protect the physical machine for now.

I'm sure someone else would have same problem. I searched forum but didn't find similar questions, so I hope this post could help to get more relevant answers.

Answer 1

@Michael Lu You can use Azure Disk Encryption, it will still use dm-encrypt but it will store the key in an Azure Key Vault, it would be the Azure recommended solution.

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

You can refer to this for more information.

The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes.

If you did not enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies.

You can refer to this article to Create and configure a key vault for Azure Disk Encryption.

Hope it helps!!!

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics

Answer 2

@prmanhas-MSFT , Azure Disk Encryption doesn't help in this case. The disk is already created with disk encryption on Azure.

Let's have an example to explain what the issue is:

1. Company A developed a Linux service. This service can be subscribed by purchasing license.
2. Company A created one Azure disk and install his Linux service on this disk. Note: this Azure disk is already encrypted by Azure Disk Encryption which is enabled by default.
3. Company A created a Azure image, and list this image on market place under BYOL (Bring Your Own License).

Now company A's Linux service is ready for sell.

1. Customer B purchased this Linux service. B also bought license, so B can download the Azure image.
2. Customer B downloaded A's Azure image, and created a Linux Virtual Machine (VM1) from it.

So far, so good. Customer B doesn't have the access the console of VM1. (the Linux service is provided through network, so A doesn't provide Linux console access).
The source code on VM1 is protected because B doesn't have the Linux console access to VM1

But the problem happens if B also has another standard Linux Virtual Machine (VM2) in the same resource group as VM1.

1. Customer detached the disk from VM1, and attached this disk to VM2 as an extra disk.
2. B logs into VM2, and mount this extra disk.
3. Now B can access all the content on the disk which should belongs to VM1 only.