Set-HgsClientConfiguration -EnableLocalMode
To switch back to using HGS, the same command used to configure HGS initially is
executed again.
CREATING A SHIELDED VM
There are many ways to create a shielded VM, including using Windows Azure Pack,
SCVMM 2016, and PowerShell. The Microsoft deployment guide walks through the
options in detail. Scenarios include instances in which the VM is created on-premises
and protected using keys generated on the hosting provider’s HGS, and then the VM
can be exported and then imported to the tenant fabric. The aforementioned Shielding
Data File Wizard helps in those scenarios.
The following example is simple, but it shows the overall process. The first step is to
save the Metadata of the HGS service and use that Metadata to define a Host
Guardian instance on the host, and then create a shielded VM using the keys from the
HGS. The Metadata downloaded consists of the public keys of the HGS encryption and
signing certificates along with other HGS instance information. The hostname of the
HGS in the following example should be changed from hgs.savtechhgs.net to your
HGS name. The HGS instance is now a known guardian on the machine. If the VM
needs to be started in various environments using different HGS instances, a guardian
for each HGS environment should be added to the local host that will be protecting
the VM.
#Add the required information from HGS to enable key creation
Invoke-WebRequest
'http://hgs.savtechhgs.net/KeyProtection/service/metadata/2014-
07/metadata.xml' -OutFile .\SavTechGuardian.xml
Import-HgsGuardian -Path 'SavTechGuardian.xml' -Name 'SavTech' `
-AllowUntrustedRoot
$Guardian = Get-HgsGuardian -Name 'SavTech'
In addition to the HGS guardians, a local guardian is used when protecting a VM. The
owner’s local guardian can be used to start the VM if the HGS is not available.
Consider a scenario in which normally the VM runs in a hosted fabric but needs to be
downloaded locally to be examined. The local guardian can be used to decrypt and
leverage the vTPM of the VM. The same owner can be used with multiple VMs; in this
case, I’m naming this JSavillVMs, as they are all of the VMs I protect.
$Owner = New-HgsGuardian –Name '<Owner name, e.g. JSavillVMs>' `
-GenerateCertificates
Behind the scenes when creating a new owner (which is a local guardian), a signing
and encryption certificate pair are created and stored in the Shielded VM Local
Certificates store of the local machine. These can be examined:
PS C:> ls 'Cert:\LocalMachine\Shielded VM Local Certificates'