Azure: Encrypt the podvm image in the shared gallery

[surajssd]

Right now we don't specify anything regarding the podvm encryption, I think it can be enabled for Azure. Here are some of the resources:

• https://learn.microsoft.com/en-us/azure/virtual-machines/image-version-encryption#cli
• https://developer.hashicorp.com/packer/plugins/builders/azure/arm#disk_encryption_set_id

[katexochen]

What would be the benefit of encrypting the podvm image? Are we storing any secrets in it?

[surajssd]

@katexochen I was wondering since we don't do measurements of the components like kata-agent, AA, etc. this could be one of the ways to ensure security to the tenant from CSP?

[katexochen]

How would the key release for the image work when booting? With MAA + Azure KMS?

And why aren't we measuring these components? If I remember correctly they are part of the VM image so they should be measured by the bootloader and into a vTPM PCR on Azure.

[surajssd]

How would the key release for the image work when booting? With MAA + Azure KMS?

I am not sure yet, will have to look into it.

And why aren't we measuring these components? If I remember correctly they are part of the VM image so they should be measured by the bootloader and into a vTPM PCR on Azure.

Right now we don't have a mechanism to do it: ERR_NOT_IMPLEMENTED 😬

[katexochen]

Right now we don't have a mechanism to do it: ERR_NOT_IMPLEMENTED :grimacing:

Your right, somehow I assumed the Ubuntu CVM image would do some magic, but it doesn't.

[kartikjoshi21]

Tried podvm image encryption using packer and azure shared image gallery

1. Direct encryption of podvm image after setting disk_encryption_set_id in packer config is not possible as currectly packer doesnt provide a way to do so and image build fails with the error:

   Setting a disk encryption set ID is not allowed when building a VHD or creating a Managed Image, only when publishing directly to Shared Image Gallery

2. Another way in which this can be done is where we need to enable encryption in packer vm which we can done by running shell provisioner while building image using packer config and this shell will run respective az cli commands which will instruct packer to build encrypted image. But limitation is we will have to install az on packer vm and also need to provide it appropriate login credentials.

So either we can wait for upstream changes in packer to provide support to encrypt image while building or we can divide our image building process into two steps.

1. Build the image
2. encrypt and upload to shared image gallery. cc: @surajssd