Azure Virtual Machine (VM) encryption – Make it faster on Linux

During one of my last project with a customer who works with highly sensitive data, I got a request that every VM which stores data on its disks need to be encrypted. There is more than one way to do that, like using PowerShell or ARM template extension. There were both Linux and Windows VMs in the mix and with normal servers everything went without issue.

Issue

During the deployment of one of the Linux servers, after half an Hour wait I got a bit worried. It is true, the server has 12 data disks attached and each disk is 1024 GB in size, but with smaller servers it was so much faster.

Investigation

I started to dig around in Azure to find some answers. The real surprise came when I checked the status of the encryption. After an Hour it was still running on 0%. Ooops, it should be more.

Then I started to look around and find possible differences between the encryption is used for Windows and Linux machines in Azure. For Windows, of course the used method is BitLocker and for Linux, it is dm-crypt. When I checked the description how these solutions are working, I understood the reason why the progress was still 0% after an Hour running time. While BitLocker encrypts the data written on the disk, the dm-crypt runs over on the whole disk(s) and encrypt it block-by-block.

I calculated the necessary time for encrypting one of these servers and the result was 2 weeks, even with Premium disks (which is usually 10x faster than Standard). The next step was obvious, we need to find a faster solution. Fortunately, Microsoft was able to give us a solution

Solution

Microsoft already realized a while ago that the demand for Linux machines and encrypted Linux machines are getting higher and higher and the current encrypting solution is reliable, but it has its limitations, so they started to develop a new feature. This is the EnableEncryptionFormat option which is working in a similar way as BitLocker. It marks the volume to be encrypted and instead of encrypting the disk(s) block-by-block, it encrypts the data written on it. The solution at the time was only in development phase so, it was not advertised publicly and because of that, it was only available using ARM template configuration. But it did the trick, because our Linux encryption went lightning fast 😊

Enterprise Mobility Workshops - 24th November 2015 - London | 9:00am – 3:00pm

Leave a Reply

Your email address will not be published. Required fields are marked *