{"id":3175,"date":"2016-12-01T11:00:08","date_gmt":"2016-12-01T16:00:08","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/azuregov\/?p=3175"},"modified":"2016-12-01T11:00:08","modified_gmt":"2016-12-01T16:00:08","slug":"azure-import-export-working-with-fips-and-other-security-controls","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/azure-import-export-working-with-fips-and-other-security-controls\/","title":{"rendered":"Azure Import \/ Export \u2013 Working with FIPS and other security controls"},"content":{"rendered":"

I was recently working with one of our government customers that wanted to make use of a newer offering: Azure Import\/Export. Now I know what you\u2019re saying\u2026 \u201cChase, this has been out since <\/span>2014<\/span><\/a>.\u201d True, this isn\u2019t a new service to Azure, but it was recently accredited and made <\/span>generally available<\/span><\/a> to the Azure Government space.<\/span><\/p>\n

If you aren\u2019t familiar with the service, it\u2019s an easy way to transfer large amounts of data from the outside world into Azure storage. There is a very similar offering for Office 365 as well (think PSTs). The tool itself is a command line interface that copies data to a BitLocker encrypted physical hard drive which is then shipped to Azure. The Azure team will import that data into your Azure storage account and ship the drive back to you. Sounds easy right? Normally, it\u2019s a very straight forward process. In fact, you can read more about the service and a step-by-step guide <\/span>here<\/span><\/a><\/p>\n

Government along with other security conscious industries have a stronger set of security controls that have the habit of causing additional administrative overhead. With that in mind, I\u2019m going to help you be proactive by giving you those big insider tips at getting your system ready for our tool and avoid those headaches.<\/span><\/p>\n

Tip#1 \u2013 The tool requires elevation<\/strong><\/p>\n

\"1\"<\/a><\/p>\n

If you run \u2018WAImportExport.exe\u2019 as is, it won\u2019t get you anywhere since it requires several parameters to run. The tool can also modify system settings, which is the key reason for running elevated with UAC. Go ahead and run the tool through an existing elevated command prompt window. It\u2019ll output all its parameters and examples. You can retain a copy of this information to your clipboard by typing \u2018WAImportExport.exe | clip\u2019<\/em><\/p>\n

Tip #2 \u2013 Local administrative privileges may be required<\/strong><\/p>\n

\"2\"<\/a><\/p>\n

\u2018Failed to disable 8dot3 name creation.\u2019<\/em><\/p>\n

The tool will offer to make system wide such as disabling the \u20188dot3\u2019 filename format<\/a>. If you don\u2019t manually make the system change yourself, the tool can do it so long as it\u2019s run with local administrative privileges.<\/p>\n

Tip #3 \u2013 BitLocker feature must be installed<\/strong><\/p>\n\n\n\n
[2016\/09\/26 19:17:51.674][Info] Enabling BitLocker on drive…<\/em><\/p>\n

[2016\/09\/26 19:17:51.892][Error] Command failed with exception: AzImportDll.AzIm<\/em><\/p>\n

portException: Please verify that BitLocker Drive Encryption has been enabled. –<\/em><\/p>\n

–> System.Management.ManagementException: Invalid namespace<\/em><\/p>\n

\u00a0\u00a0 at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStat<\/em><\/p>\n

us errorCode)<\/em><\/p>\n

\u00a0\u00a0 at System.Management.ManagementScope.InitializeGuts(Object o)<\/em><\/p>\n

\u00a0\u00a0 at System.Management.ManagementScope.Initialize()<\/em><\/p>\n

\u00a0\u00a0 at System.Management.ManagementObjectSearcher.Initialize()<\/em><\/p>\n

\u00a0\u00a0 at System.Management.ManagementObjectSearcher.Get()<\/em><\/p>\n

\u00a0\u00a0 at AzImportDll.WmiHelper.GetEncryptableVolume(String driveLetter)<\/em><\/p>\n

\u00a0\u00a0 — End of inner exception stack trace —<\/em><\/p>\n

\u00a0\u00a0 at AzImportDll.WmiHelper.GetEncryptableVolume(String driveLetter)<\/em><\/p>\n

\u00a0\u00a0 at AzImportDll.WmiHelper.ProtectVolume(String driveLetter, String& password)<\/em><\/p>\n

\u00a0\u00a0 at AzImportDll.PrepImportDriveCommandContext.EnableBitLockerOnTargetDrive()<\/em><\/p>\n

\u00a0\u00a0 at AzImportDll.PrepImportDriveCommandContext.FormatAndEncryptTargetDrive()<\/em><\/p>\n

\u00a0\u00a0 at AzImportDll.PrepImportDriveCommandContext.ExecuteCommand()<\/em><\/p>\n

\u00a0\u00a0 at AzImportDll.BaseCommandContext`1.Execute()<\/em><\/p>\n

[2016\/09\/26 19:17:51.892][Info] Command failed.<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

BitLocker is a requirement. However, you have the choice of either letting the tool encrypt the device or you can pre-encrypt the device and supply the encryption key (more on that later).<\/span><\/p>\n

You can install the feature by following this <\/span>TechNet guide<\/span><\/a><\/p>\n

Tip #4 \u2013 Delete or change the journal file<\/strong><\/p>\n

\"3\"<\/a><\/p>\n

\u2018AzImportDll.AzImportException: Last copy session session#1 was not terminated normally. Since it was the first copy session for the drive, it may be resumed but cannot be aborted.\u2019<\/em><\/p>\n

A journal file will be created when you run the tool. It contains all the information needed by Microsoft to import your data to your storage account. Unless you plan on resuming the copy session with \u2018\/resumesession\u2019<\/em>, start from scratch by deleting or changing the journal file. You will not suffer any type of loss if you haven\u2019t already copied data to the drive.<\/p>\n

The journal file name and location is what you specified with the \u2018\/J:\u2019 parameter<\/p>\n

Tip #5 \u2013 FIPS must be disabled<\/strong><\/p>\n

\"4\"<\/a><\/p>\n

AzImportDll.AzImportException: WMI Operation failed: Method=ProtectKeyWithNumericalPassword, ReturnValue=2150694967, Win32Message=Unknown error (0x80310037)<\/em><\/p>\n

If you chose to allow the tool to BitLocker encrypt your drive, it will set a \u2018recovery password\u2019 on the drive. The error indicates that the tool failed to set a numerical password, also known as a \u2018recovery password\u2019 on the drive. A \u2018recovery password\u2019 is a 48-digit password and is disallowed per FIPS policy.<\/p>\n

One way to disable FIPS is through the machine\u2019s local policy- \u2018System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing\u2019<\/em><\/p>\n

\"5\"<\/a><\/p>\n

You\u2019ll notice in the highlighted text, that once FIPS is enabled, that the type of BitLocker encryption used, recovery passwords, are disallowed.<\/span><\/p>\n

Tip #6 \u2013 Entering the correct \u2018BitLocker Key\u2019<\/strong><\/p>\n\n\n\n
[2016\/10\/03 14:14:20.607][Info][1] Starting new copy session session#1 …<\/p>\n

[2016\/10\/03 14:14:22.308][Info][1] Verifying target drive against previous sessions…<\/p>\n

[2016\/10\/03 14:14:22.604][Info][1] Unlocking BitLocker on drive…<\/p>\n

[2016\/10\/03 14:14:24.149][Error][1] Command failed with exception: AzImportDll.AzImportException: Invalid numberical password.<\/p>\n

at AzImportDll.WmiHelper.ValidateNumericalPassword(String driveLetter, String passwordToValidate)<\/p>\n

at AzImportDll.PrepImportDriveCommandContext.UnlockBitLockerOnTargetDrive()<\/p>\n

at AzImportDll.PrepImportDriveCommandContext.FormatAndEncryptTargetDrive()<\/p>\n

at AzImportDll.PrepImportDriveCommandContext.ExecuteCommand()<\/p>\n

at AzImportDll.BaseCommandContext`1.Execute()<\/p>\n

[2016\/10\/03 14:14:24.164][Info][1] Command failed.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

If you chose to BitLocker encrypt the drive manually, outside of the use of the tool, you will need to enter the \u2018BitLocker Key\u2019 with the \u2018\/bk:\u2019 parameter. If you entered an alphanumeric password as the value, you\u2019ll receive the above error message. I want to emphasize and point out a typo in the error message \u2018numberical\u2019<\/span><\/p>\n

All protection mechanisms, no matter what type, all do the same thing\u2026 unlock the drive. There are many types including \u2018recovery password, \u2018recovery key\u2019, \u2018password\u2019, \u2018certificate\u2019, etc. You can find the list <\/span>here<\/span><\/a>. <\/span>You can have more than one protection mechanism applied to a drive while still only needing one to unlock it.<\/span><\/p>\n

The tool, at time of writing, only works with the type \u2018recovery password\u2019. Therefore, you should enter that in and not any other type of protection mechanism. It should be in this format: 000000-111111-222222-333333-444444-555555-666666-777777<\/span><\/p>\n

Tip #7 \u2013 Retrieving the Recovery Password<\/strong><\/p>\n

If you manually BitLocker encrypted the drive while FIPS was enabled, then there is no \u2018Recovery Password\u2019 and therefore you cannot use the tool. However, once FIPS is disabled, you can add a \u2018Recovery Password\u2019 to an already BitLocker encrypted drive by typing the following:<\/p>\n

\u2018manage-bde -protectors -add -recoverypassword D:\u2019<\/em><\/p>\n

D: is the drive letter for the encrypted volume.<\/p>\n

\"6\"<\/a><\/p>\n

If you want to retrieve a list of all established recovery methods, including the recovery password values, type the following:<\/p>\n

\u2018manage-bde -protectors -get D:\u2019<\/em><\/p>\n

D: is the drive letter for the encrypted volume.<\/p>\n

You will only be able to retrieve the actual \u2018recovery password\u2019 values if the drive is already unlocked from a BitLocker perspective<\/p>\n

In the below example, there are two numerical passwords (recovery passwords) and a single alphanumeric password. Outside of the tool, any one of those will unlock the drive.<\/p>\n

\"azure-import-export-service\"<\/a><\/p>\n

With regards to enhancing this tool in the future\u2026 I\u2019ve already spoken with our Product Group about the tool\u2019s limited abilities on FIPS systems. They are actively incorporating that feedback for the tool\u2019s future versions.<\/span><\/p>\n

I hope that this has been informative and more importantly stopped you from getting into pickle. <\/span><\/p>\n

We welcome your comments and suggestions to help us continually\u00a0improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed<\/span><\/a> and to receive emails, click \u201cSubscribe by Email!\u201d on the Azure Government Blog<\/span><\/a>. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial<\/span><\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

I was recently working with one of our government customers that wanted to make use of a newer offering: Azure Import\/Export. Now I know what you\u2019re saying\u2026 \u201cChase, this has been out since 2014.\u201d True, this isn\u2019t a new service to Azure, but it was recently accredited and made generally available to the Azure Government […]<\/p>\n","protected":false},"author":1784,"featured_media":20423,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,25,30],"tags":[75,95,102,279,349],"class_list":["post-3175","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azuregov","category-portalpreview","category-storage-backup-recovery","tag-azure","tag-azure-government","tag-azure-importexport","tag-export","tag-import"],"acf":[],"blog_post_summary":"

I was recently working with one of our government customers that wanted to make use of a newer offering: Azure Import\/Export. Now I know what you\u2019re saying\u2026 \u201cChase, this has been out since 2014.\u201d True, this isn\u2019t a new service to Azure, but it was recently accredited and made generally available to the Azure Government […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/3175","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/users\/1784"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/comments?post=3175"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/3175\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media\/20423"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media?parent=3175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/categories?post=3175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/tags?post=3175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}