Encrypting Red Hat Enterprise Linux (RHEL) on Azure

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux (RHEL) 7
  • Microsoft Azure

Issue

  • Customers want RHEL encryption on Azure

Resolution

Network Bound Disk Encryption (NBDE) is supported by Red Hat for Red Hat Enterprise Linux (RHEL) 7.5 and later in Microsoft Azure for customers using Red Hat Cloud Access. NBDE allows LUKS encryption of hard drive volumes on physical and virtual machines (VM) without requiring users to enter a password manually when restarting systems. Consider using NBDE if the same encryption solution or support are desired for on-premise, public cloud, private cloud, hybrid cloud, or multi-cloud deployments.

For more details about NBDE, see the Red Hat Enterprise Linux 7 Security Guide.

Users may use Azure Disk Encryption (ADE) for on-demand (Pay-As-You-Go) operating system disks on currently supported versions of RHEL in Microsoft Azure. Data disks may be encrypted for any supported version of RHEL on Azure.

  • ADE support is provided solely by Microsoft. Azure Disk Encryption is not fully supported by Red Hat for Red Hat Enterprise Linux.
  • ADE is not supported on operating system disks for RHEL VMs in Microsoft Azure when using Red Hat Cloud Access (BYOS).
  • ADE is not supported for operating system disks in RHEL 6 or in any version of RHEL where the Red Hat-shipped packages have been modified.

There are some special considerations when encrypting in cloud environments. All VM instances created from a given LUKS encrypted image will share the same LUKS encryption master key.

We recommend that you do not share the encrypted image (including user-created and generalized images) outside of your Azure subscription. We also recommend you reduce the number of instances instantiated from a single image to avoid sharing the LUKS master key across different workloads.

The number of distinct images with different LUKS master keys can vary from one VM per image, which is the strongest, to a single image for all VMs, which is the weakest. You should use the deployment's security policy and risk tolerance to determine the exact ratio. We recommend that you create a customized image with a unique LUKS master key for a group of instances of a similar type. For example, create a separate custom image for a Database Server image, Identity Server image, Application Platform image, and so forth.

Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.