learn about the cloud using qwiklab

posted Aug 24, 2014, 10:02 AM by Charl Pels

learning and getting to know AWS solutions works best by just testing and reading the many good support sites of AWS, however if you want to have hands on experience with AWS cloud solutions without just start reading and testing solutions is a good place to start.

Trend Micro Secure Cloud the test drive

posted Aug 9, 2014, 2:20 AM by Charl Pels   [ updated Aug 9, 2014, 2:54 AM ]


Using cloud services is getting cheaper and cheaper and to more companies are looking for cloud solutions as an option to lower IT costs.

For most EU based companies storing data a US based cloud can be an issue because of patriot act and other laws and off course because of compliancy requirements, that is why companies like Trend Micro are developing solutions to encrypt virtual disks in the cloud or even in private clouds.

If you are looking at a simple solution to encrypt Windows Data Disks, then please read alsothis article for a solution based on Bitlocker at no extra cost.

There are multiple articles that explain how to install Trend Micro, however there are more things important like restoring disks, cloning and automatic installation.

How Secure Cloud is working

SecureCloud applies real-time, full-disk encryption to protect disk drives using the following components:

  • Key Management Server: The key server hosted by Trend Micro or a Managed Service Provider
  • Web Console: The console where SecureCloud administrators can review and approve pending key requests, check device status and integrity, set up policies, manage devices, check reports and logs, and manage user accounts
  • SecureCloud Agent: A software application that communicates with the Key Management Server and performs device encryption

Source of this info:

SecureCloud System Requirements

The target machine must meet the following minimum hardware specifications:

The SecureCloud Agent can operate in the following CSP environments:

The SecureCloud Agent can operate on the following platforms:

On premise or SAAS?

One of the first choices you have to make is the location of the management server.
The Key Management Server is the server hold the encryptions keys so it is a very important part of the secure cloud solution.
You have 2 options here for this.
A SAAS solution from Trend Micro and an on premise solution where you host the management server yourself.

I personally like the SAAS solution but one of the reasons some companies use disk encryption is the fear for services like the NSA and the Trend Micro secure cloud solution will be just as vulnerable as the cloud providers like Amazon, Azure and many others.
The Trend Micro datacenters were the Secure Cloud SAAS solution runs in is only ISO27001 certified (

In the next sections I will talk about the SAAS solution because that is part or the trail you can order here

When I have more information about the on premise solution I will update the article.

The Secure Cloud installation manual

When you sign up for a trail you also get access to a manual, I recommend you read it, here is the link of the manual

The web interface.

The management part of secure cloud is web based and the interface is very simple, here are some steps with pictures you have to take to for encryption to work.

When you login for the first time to the console you see a screen like this.On the left you see a few options.

For this test I created a very simple policy that always applies.In production you have many options for filtering.

For example only allow unlocking of disks when the servers are coming from a specific amazon region or one of the many other options.

Next we decide when we allow the unlocking of disks.In this sample we auto approve

Now press save and where are done with the policies.

Last step is to copy the Account ID and the Provision passphrase.
You need this later when you install and configure the agents.

Manual Install an agent

The installation can be done in two ways, manual (small setup) and an unattended way that I think fists better in most environments.
Let’s start with the manual way.

Windows OS.

For this demo I use a standard Windows 2008 R2 server but I have also tested on Windows 2012 R2 and saw no issues.The server has 2 disks, one is the OS disk and one is a standard data disk.

If we downloaded the agent from the TrendMicro website (download like is part of your welcome mail).Unpack and start the setup this would we your first setup screen.

Accept the license
Use the default setting Created a local accountPress next

For this demo I use a typical installation.If you choose Custom please make shure you read the presented popup

Warning if you choose custom

And that is the end of the setup press finish and your system will restart.
After the server is restarted you will see the Configuration wizard.Here you can type your Account ID and Passphrase that you saved from the web interface.

Now press configure

If all goes well you should see your server in the Secure Cloud management console.
You can now start the encryption from the wizard or from the management console.

Linux OS

The linux version installation is always command line driven and for custom kernels there are some extra steps to take, more info can be found here

To install the agent in Linux just execute the bin file you can download from TrendMicro.
The installation will now start the configuration with the command./var/lib/securecloud/

scroll to the license agreement.
Type yes at the end.

Select the environment that you are using.
Here you can type your KMS Account ID that you saved from the web interface.
Type the url of the secure cloud management server, in this case we use the SAAS solution so we can leave this blank.
Here you can type your Passphrase that you saved from the web interface.
The configuration is now finished

Boot disk encryption not always working

For the previous screenshots I used a paravirtual amazon AMI

This default AWS image seems to give issues with the boot volume encryption as you see in the next screenshot

Errors that you may get

During installation of the linux agent I faced a couple of errors like libcrypto.s0.10 errorsTrendMicro has a support article for services running the agents that can be found here.

The SecureCloud Agent fails to verify the SSL connection to the KMS when OpenSSL is ugpraded to a version from February 11, 2013 or above.

This fix won’t help to install a new agent/server in a correct way.

The best solution would be to install version 3.6 service pack 1

Please note that during testing I noticed that when you install the non Service Pack 1 version, and then start upgrading to SP 1 can give you install errors.

Automatic Install an agent

Yes you can install the secure cloud agent using a setup wizard I think that is not the best way to install the solution, fortunately TrendMicro is delivering 2 setup versions, one for the manual installation and one silent installer.
Next to the installation you also need to create an ini file and give some commands you can add to your existing scripts.

Step 1

create an ini file with the following content

ACCOUNT_ID=<Your account ID>
POLICY=Default Policy

For Windows: Save this file in C:\Program Files (x86)\Trend Micro\SecureCloud\Agent\ and give it the name agentconfig.ini

For Linux: Save this file in /var/lib/securecloud/ and give It the name agentconfig.ini

More info about this part and the vcloud config can be found here:

Step 2

For Windows: go to C:\Program Files (x86)\Trend Micro\SecureCloud\Agent\ and type scprov conf -c agentconfig.ini -x “<Youre Provision passphrase>” -q

For Linux: Save this file in /var/lib/securecloud/ and type scprov conf -c agentconfig.ini -x “<Youre Provision passphrase>” –q

Here is the list with options

More info can be found here:

Clone a virtual encrypted server

For most environments cloning is a normal way of working, so it is important that cloning is supported by the encryption solution you chose.

Here are the steps you need to take to clone a server with encrypted disks.


First make Shure your original/master/source/template server is turned of and then start the clone version of the server
Stop the secure cloud agent
Navigate to the appropriate directory:click Start and type cmd to open a command shell, then enter cd C:\Program Files (x86)\Trend Micro\SecureCloud\Agent\
Start the Configuration Toolsc_config.exe
Run the clone scriptBecause my passphrase contains an ‘,’ is placed the password inside “” else you get an error.

scconfig.exe –clone-this -x <passphrase>


Administrators can specify the clone name and assign a policy to the clone using the following parameters: 

  • clone-image-name <image name>
  • –policy-name <policy name>

If the name is not specified, the clone is identified by its machine name in the inventory. Similarly, if the policy is not specified, the Default Policy is automatically assigned to the clone.

As you can see the cloning was successful

The clone is added to the inventory

Start the SecureCloud Agent service

You can now also start the source server


First make Shure your original/master/source/template server is turned of and then start the clone version of the server
Stop the secure cloud agent/etc/init.d/scagentd stop
Navigate to the appropriate directory:cd /var/lib/securecloud/
Start the Configuration Tool./
Run the clone –clone-this -x <passphrase>

Administrators can specify the clone name and assign a policy to the clone using the following parameters: 

  • clone-image-name <image name>
  • –policy-name <policy name>

If the name is not specified, the clone is identified by its machine name in the inventory. Similarly, if the policy is not specified, the Default Policy is automatically assigned to the clone.

The clone is added to the inventory

Start the SecureCloud Agent service

/etc/init.d/scagentd start.

You can now also start the source server

TIP: Speed verses ease of deployment

You basically have two options for cloning servers, both have their dis (advantages).

Using templates with no encryption software installed.

  • Easy to deploy, just clone your servers like you do know and then install the secure cloud encryption agent using a script or manual.
  • You can work with templates like u use to do and always use the latest securecloud agent versions withoud upgrade path or even switch over of combine different encryption software solutions depending on requirements and costs
  • Since templates are not encrypted you may save a bit on license costs.

Using templates with secure cloud encryption software installed.

  • Cloning encrypted disks takes a bit more work but the disks are always encrypted so you don’t have to wait for encryption of disks is finish.
  • You templates are also encrypted and less likely to be tampered with

Source for cloning info:

Increasing encrypted volume size

Increase the size of an encrypted volume in Secure Cloud is one of the tasks that will need to be done once in a while, for this a step by step instruction is available at

Export the encryption keys

To lower costs or for backup purposes you can export the encryption key so you can import them later if you want to recover encrypted disks.

To export the keys you have to create a new user and give him the role of security Administrator.That is the only role with the permission to export the encryption keys.

We are no logged in with a user that has the security administrator role assigned to him.When we go to a server we have the option to export the encryption keys.

Now select the disks and press export keys

You now can type are passphrase to secure the keys with.When you press Export Keys the keys will be downloaded.

Save the keys I to a secure place and don’t leave then in you download folder!!

Your keys are now exported.
You can now login with the administrator roleSelect the server and remove the Keys

There is now way to bulk export all the keys in your environment and you could delete the keys from you management console to save license costs (disks and or servers have to have an offline state else you can’t remove them).

Import the encryption keys

If you have note removed the server from your inventory you are still be able to recover the operating system.Press Import key

If you only case about the data than your cloud mount the encrypted disk to a server with the Trend Micro secure cloud agent already added.

Select the key file you created during export.Type the passphrase u typed during the key export.

Press import. 

Repeat the import procedure for all other disks.
Press Save when you are finished with importing all keys.

Autostart Windows server products and roles

During the development of the free bitlocker solution, I noticed that some functions won’t work or need special attention so I decided to test some configurations that may also give issues with the Trend Micro Solution.

For this I created a standard Windows 2012 Server with 2 disks (C: the OS and boot disk and an extra disk called E:)
All disks where standard NTFS with no special storage settings, all software installed with default settings only the location of the database are different.

I configured the Secure Cloud agent to encrypt all disks so the OS and other disks like in my case the data disk called E:

Software product or roleinstall all software on encrypted C:install Database files on encrypted E:Commend
Windows Role Active DirectoryYesNoIf you move the NTDS databases to other disks than the OS/Boot disk your server will not come online anymore (also tested in VMware workstation to see impact since Amazon is not having console access).
SQL Server 2012YesNoIf you install SQL server on other disks then the C: SQL will not start automatically.
You have to wait until the secure cloud agent has unlock the disks and then start SQL server.

Vendor locking

The encryption works as expected but I notice one limitation, there seems to be no decryption option.
Basically you can’t remove secure cloud from your servers without loose of data you have to do a V2V or data migration.

Also this is in the readme file
Uninstallation of the SecureCloud Agent is not possible if the boot volume is encrypted.

I also not able to find information to decrypt the data disks but the older readme files are giving some clues.
SecureCloud 2.0 Runtime Agent does not support an upgrade from a 1.x version of the product. Also, it cannot access volumes encrypted with SecureCloud 1.x Runtime Agent. Therefore, you need to do a manual migration of any SecureCloud 1.x data before it can be accessed using the SecureCloud 2.0 Runtime Agent.


Design considerations

When you are designing a AWS cloud environment based on EC2 servers with Secure Cloud keep the following in mind

  1. Plan how you configure your disk layout, do you install software like SQL all on one big disk or do you use multiple disks but have to create a script to prevent your server product from starting until all encrypted disks are unlocked and available for use.
  2. Keep in mind is that you need to make absolutely shure that your servers can access your secure cloud management server or the SAAS solution, else you are not able to startup the servers again, this is a very important part of your high available or disaster recovery design.
  3. Remember that if you use snapshots as a backup solution, they are also encrypted and therefor only available if you mount the disks to the same server or to other servers if you have the encryption keys available.


TrendMicro Secure Cloud 3.6 is a big improvement when you compare it with the previous versions and is now also capable of encrypting the boot/OS disks bit it is still not a perfect solution.
With tools like Secure Cloud you my solve some issues regarding data storage in the cloud but with a cost of being unable uninstall the product in the feature without data or server migrations.
Personally if you have the choice, it may be enough to only encrypt the disks that are containing actual data because they are easier to recover, for that you could use bitlocker or the new Amazon EBS encryption option.

As a last resort you could implement disk encryption solutions like TrendMicro Secure Cloud.


Here are some articles that are good to know.

Logging on to the SecureCloud Web Console Using a Multi-factor Authentication Code

Troubleshooting Amazon EC2 Boot Volume Encryption

SecureCloud Agent System Requirements

Free disk encryption solution for windows servers in the cloud

posted Aug 9, 2014, 1:53 AM by Charl Pels   [ updated Aug 9, 2014, 1:57 AM ]


One concern most people have when going to the cloud is the feeling their data is visible for everyone who can access the virtual hard disks. To limit this risk many operating systems can use some form of encryption, for Windows we have 2 default options Bitlocker and EFS (Encrypted File System).

The benefit of bitlocker is that the disk encrypted and not only the files, of course you can combine the two solutions. Please test the solution in a lab first and make Shure that it fits your needs, I am not responsible if you lose access to disks, data or servers. Use at your own risk!!!!!

The code is at the end of this article.

Some good to know information

  1. In current state the script is a login script running under the computer account, because of this when you add new disks to a server je need to restart the server to encrypt the disk. Don’t do this under your administrator account or something because the script stores the encryption key in combination with the user that starts the encryption so if for example your admin account triggers the encryption the server can’t access this unlock key because only the admin is allowed. You can change this off course, the database is readable and simple and this user filter is in the SQL stored procedures. There is one workaround I also used for testing, call the script in a scheduled task that runs under the system account.
  2. The login script is checking that bit locker is installed this costs time, if you want to speed up the script then make Shure bitlocker is installed in some other way, for example part of your image, then you can remove this part off the script.


The Focus for us is encrypt data disks in Windows running in a virtual environment including cloud environments like azure and amazon aws, you can of course also use this solution in your own private cloud.

Because we would only encrypt data disks in the cloud we need to prevent that encryption keys are available in the cloud, to make this possible this solution stores al encryptions keys in a central SQL server database you can run on premise and store in an encrypted form.

Third-party options

For disk encryption there are multiple solutions like Trendmicro securecloud the downside is that it add additional costs but is unlike the bitlocker solution able to encrypt the operating system.

No OS disk encryption

We will not encrypt the Windows operating system disk (C:), the reason for this is that virtual environments don’t have A TPM chip we need to encrypt operating disks and also Bitlocker on OS disks is not supported for use in virtual environments.

Bitlocker and Microsoft support.

Currently Microsoft is not giving support for bitlocker in virtual environments, this does not mean you can’t use it but if there are issues with a virtual server that uses bitlocker you may need to unlock and decrypted the disk first. (Decrypting can be done when server is running, no restart required).

The basic setup

The basic setup for this solution to work is, one SQL server or cluster of SQL servers and a script running on your servers.


How the solution is working

First time

  1. The first time the script runs it will check the encryption status, all disks not C: drive will be encrypted and the encryption keys will be stored in a central SQL database.
  2. You have the option to prevent services like SQL, Exchange etc on your encrypted disks from stating till disks are unlocked (this is managed in the bitlocker script), applications known by the script will be change from automatic to manual starting.

Next time the server restarts

1. Services like Exchange and SQL will now be prevented from starting until the bitlocker script has unlocked all disks. 2. The bitlock.ps1 script will connect to the database using the computer account credentials, the database will return the needed encryption keys so the script can unlock the disk 3. After unlocking the disks the script will start the services that it manages.

Installation of the script.

You have multiple options to deploy and implement the solution, for this we have chosen for a Active Directory policy in combination with a local policy to speed up the unlock process.

Create a highly available fileshare or use the netlogon folder for holding the scripts bitlock.ps1 and bitlockstart.cmd and a folder with the name local with a second version of the bitlockstart.cmd for local use. This are the most important components where the batch will trigger the bitlock.ps1 script.

Alter the following settings in the bitlock.ps1 script. In the Services to alter section you can add services that needs to be prevented from starting wile disks are still locked. #———————————————————————– #Alter the settings to match your environment #———————————————————————–
#Services to alter $services +=”MSSQLSERVER” $services +=”SQLSERVERAGENT” #$services +=<your services>
#Database to store the keys $sqlserver = “SQL Server or cluster” $sqldbname =  “Database name (default bitlock)”
#———————————————————————– #End Alter the settings to match your environment #———————————————————————–

Next create a policy or add the script to an existing policy, here are settings that works perfect with this script, It will prevent users from login to the server until disks are unlockt and profiles are accessible by the system.


For redundancy, speedup the starting process and standalone use you can use a local policy, de default script with this document are always copying the latest version of the backup script to c:\windows\bitlock\

Security and permissions

SQL Database


The SQL server will hold all encryption keys and without that information you can’t access the disks anymore. Next to that, losing the database you may give others access to the resources. For this we recommend to implement an SQL Always on cluster or other cluster solution. To prevent that others gain access to the keys we recommend the following. Implement database encryption (SQL 2012 feature) and always encrypt communication between SQL server and clients (SQL Feature), IPsec is also an option.

Depending on your needs you can use all versions of SQL (Express, Standard, Enterprise) but it is depending on your requirements like high availability or database encryption. To compare options between SQL versions please check this link

Access Credentials

In our setup we use the existing computer accounts because of the following reasons • Computer account passwords will change every 30 days by default • The SQL code we use checks the user requesting the encryption key, by using computer accounts only the computer needing the key can access it. • We don’t have to store extra account information in the cloud and as always less is better.


Installation of the SQL database server

I will assume you already have installed SQL with your needed specifications like cluster config etc etc and it is running is a “safe” location and that you have installed a server certificate to make secure connections between the clients and server. In this sample we use a SQL express with tools version (free edition) that will be running as a default instance, you can always use other versions like standard or enterprise if you need clustering and database encryption.

Create a local group

First create a new local group on the SQL server with the name bitlocker-access and add the domain groups Domain Computers and Domain Controllers to this new local group and press create. You could also use a domain group but using a local group can give you options to give non domain members access to the database later on.

This group will be used to give very limited permissions in the SQL database.

Configure secure connections

Since configuring SQL servers to use secure connections is not a standard for most people we document the steps here. You can also follow the instructions found here


Open the SQL Configuration manager.
Expand SQL Server Network Configuration, right-click the protocols for the server you want, and then click Properties.
Click Force Encryption and select Yes
Select your certificate.Press Ok
If you not use SQL Express this step is now done and you can restart the SQL Service.Is you use SQL Expres please follow the next steps
For SQL Expres enable TCP/IP, other versions have this on by default.

If SQL server will not restart anymore afther this please look in the eventlog and see if you have errors like.


In that case please look at fixing certificate issues elsewhere in this document

Open the Windows Firewall

SQL Servers are listening on port 1433 (if you use an SQL instance you may need to add port 1434 also), we have to configure the firewall to open that port. Please type this at the command line netsh firewall set portopening TCP 1433 “SQLServer” If you want to limit access even more you can also configure Connection Security Rules.

Install the Dacpac.

Now open a SQL Server management studio and connect to our server,



Configure Security permissions for the scripts.

For security reasons the bitlocker scripts will have only execute access on 2 stored procedures and so preventing access to the database tables.

First we create a new login
Here we add the group Bitlocker-Access we createdearlier.
In the user mapping section we give the account public access to the bitlock database.Press Ok
Now we gone give the account access to the stored procedures it needs.Go to the stored procedure CreateDiskentry en select properties.
Give the login Bitlocker-Access execute permissions on this stored procedure.
Do the same with the stored procedure getbitlockkey and ​getBitlockkeyfromID.

Fixing Certificate issues.

It can happen that your SQL server will not start after configuring the certificate, in that case please follow the steps you find here.

After some Google searching (a lot, actually) I came across this procedure which seems to have fixed it:

First we need to find the name of the service account used by the instance of SQL Server. It will probably be something like ‘SQLServerMSSQLUser$[Computer_Name]$[Instance_Name]‘.

One way to do this is to navigate to the installation directory or your SQL Instance. By default SQL Server is installed at C:\Program Files\Microsoft SQL Server\MSSQL10_50.InstanceName.

  1. Right click on the MSSQL folder and click Properties.
  2. Click the Security tab and write down the user in the Group or user names window that matches the pattern of ‘SQLServerMSSQLUser$[Computer_Name]$[Instance_Name]‘.
  3. Now, open the Microsoft Management Console (MMC) by click Start -> Run, entering mmc and pressing Enter.
  4. Add the Certificates snap-in by clicking File -> Add/Remove Snap-in… and double clicking the Certificates item (Note: Select computer account and Local computer in the two pages on the wizard that appears.
  5. Click Ok.
  6. Expand Certificates (Local Computer) -> Personal -> Certificates and find the SSL certificate you imported.
  7. Right click on the imported certificate (the one you selected in the SQL Server Configuration Manager) and click All Tasks -> Manage Private Keys…
  8. Click the Add… button under the Group or user names list box.
  9. Enter the SQL service account name that you copied in step 4 and click OK.
  10. By default the service account will be given both Full control and Read permissions but it only needs to be able to Read the private key. Uncheck the Allow Full Control option.
  11. Click OK.
  12. Close the MMC and restart the SQL service.

And here’s the source of the procedure:

Q and A


Q: Why do u use a script and a service and not just a service.

A: Bitlocker is tricky and using WMI of just calling manage-bde seems not to work as expected even when running under a domain admin or system account we were getting permission entry’s.

Q: Why do you use manage-bde in the powershell scripts and not commands like Add-BitLockerKeyProtector etc

A: The powershell commands will only work in combination with Windows 8.1 and Windows 2012R2 and so we limit the use of the script by using them.

Q: Why do u use a batch file for copying and starting powershell scripts instead of policies?

A: I have no real reason, for documentation scripts are easier (less screenshot making) so you can use policies for deployment and running if you want.

Q: Is this the perfect security solution?

A: No, there is no perfect solution and this is just A solution, you are free to make a better one or offcourse you can use a commercial tool. There are also options to encrypt and/or sign the scripts, you could also make a custom web application so the script don’t have to talk to the SQL database and in you could also add a user login screen with two factor authentication. It should also be possible to use truecrypt instead of bitlocker or something else. So please see this as just a starting point.

1-3 of 3