Rotating GCP Customer Managed Encryption Key (CMEK) for Citrix MCS

book

Article ID: CTX327875

calendar_today

Updated On:

Description

Overview
As of August 2021 Google Cloud Platform does not provide a mechanism for updating the Customer Managed Encryption Key (CMEK) version on an existing persistent disk. This effectively means that once a disk is created using customer managed encryption keys, the disk is tied to that key and key version for the lifespan of the disk. You cannot rotate CMEKs for an existing disk and then disable the previous version (because all of your existing disks would become unusable).

Why would you want to rotate CMEK versions?
Rotating cypto key versions is a good security practice.

What CVAD/MCS resources are created on GCP using customer managed encryption keys?
In the case of MCS on GCP, this approach is necessary for rotating keys for existing identity disks. This is because these identity disks get created during catalog provisioning, and then exist for the machine's lifespan.

Catalogs of Persistent Machines
For catalogs of persistent machines, this approach is also necessary for the following disks:

OS disk
Write Back Cache (WBC) disk. Note: this is only applicable if your catalog has MSCIO enabled and the WBC disk is configured to persist on power cycles.

Catalogs of Non-Persistent Machines
For catalogs of non-persistent machines, this approach is not necessary for the following disks:

OS disk
Write Back Cache (WBC) disk. Note: this is only applicable if you have MSCIO enabled.

You can update the CMEK version of these disks when you upgrade your Non-Persistent catalog. Update the CMEK version in the ProvScheme CustomSettings using the Set-ProvScheme cmdlet (https://developer-docs.citrix.com/projects/citrix-virtual-apps-desktops-sdk/en/2009/MachineCreation/Set-ProvScheme/) and then update the machines in the catalog. The next time the machines boot, these disk will be recreated with the updated CMEK version.

Instructions

How to rotate CMEK Keys for Persistent Disks

To our knowledge, the only way to rotate the key for an existing persistent disk is using the following approach:

IMPORTANT:

When manipulating or replacing storage resources, there is a risk of data loss. Exercise extreme caution in following the steps described below in order to minimize the risk of data loss. It is highly recommended that you (i) back up any and all data prior to utilizing this approach and (ii) confirm that the machines continue to work as expected before deleting the snapshot. Citrix is not responsible for any loss of data associated with your use of this approach and this information is provided to you “as is” without any guarantee of any kind

If the disk is attached to an instance, power off the instance and detach the existing disk.
1. This may need to be done from the gcloud CLI - https://cloud.google.com/sdk/gcloud/reference/compute/instances/detach-disk
Create a snapshot of the existing, detached disk (using Google managed keys)
Note (copy and save) the existing disk's name (as we will be recreating the disk with the same name). Then delete the existing disk.
Recreate the disk from snapshot (specifying new CMEK).
Attach new disk to the instance
Power on the instance. Confirm it boots successfully and registers with the Broker. Confirm the machine continues to work as expected.
Delete the snapshot

Sample PowerShell Script

This script will automate the 6 steps above for replacing the identity disk of a single machine.

The script assumes you have installed the gcloud SDK and authenticated with Google Cloud Platform.

### Update these parameters

$projectId = "my-project-id"
$region = "us-east1"
$zone = "us-east1-c"
# Name of the instance you'd like to update
$instanceName = "my-instance-01"
# The updated crypto key version
$kmsKey = "projects/my-project-id/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-crypto-key/cryptoKeyVersions/2"


### Start Script

# NOTE: if the disk you are updating is the boot disk, the disk name should be the same as the instance name (i.e. do not append "-id-disk")

$diskName = $instanceName + "-id-disk"
$snapshotName = $instanceName + "-temp-snapshot"

Write-Host "Setting project to $($projectId)"
gcloud config set project $projectId

Write-Host "Detaching disk $($diskName) from instance $($instanceName) in zone $($zone)"
gcloud compute instances detach-disk $instanceName --disk=$diskName --zone $zone

Write-Host "Taking snapshot $($snapshotName) of disk $($diskName) in region $($region)"
gcloud compute disks snapshot $diskName --snapshot-names=$snapshotName --zone $zone --storage-location $region --description "[Citrix] Temporary snapshot of disk '$($diskName)'"

#WARNING: Unrecoverable action - backup this disk before deleting it.

Write-Host "Deleting disk $($diskName) in zone $($zone)"
gcloud compute disks delete $diskName --zone $zone --quiet

Write-Host "Creating disk $($diskName) from snapshot $($snapshotName) in zone $($zone)"
gcloud compute disks create $diskName --source-snapshot $snapshotName --kms-key $kmsKey --zone $zone

Write-Host "Deleting temporary snapshot $($snapshotName)"
gcloud compute snapshots delete $snapshotName --quiet

# NOTE: if the disk you are updating is the boot disk, append the '--boot' parameter to this command
Write-Host "Attaching disk $($diskName) to instance $($instanceName) in zone $($zone)"
gcloud compute instances attach-disk $instanceName --disk=$diskName --zone $zone

Write-Host "Updated disk:"
gcloud compute disks describe $diskName --zone $zone

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"