vmware + truecrypt for fully encrypted windows OS?

Version 2

    started from thread on truecrypt forums: http://forums.truecrypt.org/viewtopic.php?p=22979

     

     

    my question from there repeated for convenience:

     

     

    if I do the following, will any traces be left on my machine at all?

     

    create a truecrypt volume. mount it, and create a vmware partition  for a new operating system on the truecrypt volume. if I boot up the  vmware operating system (which only has access to the truecrypt section  of the hard drive), would any traces of my activity be left behind? what  about with the swap/page file in the native OS?

     

     

    there responses seem to indicate "there's no way that'd work." is that  accurate? can I configure vmware to do what I want? if so, how do I go  about it?

     

     


    Encrypting the VM volume is not really the answer here.

    What you need to do is seal up the OS (inbound and outbound) within itself.

    This will give you the self protecting layer you require.

     

    Encrypting the vm volume will only stop other volumes/ hosts accessing  it, not control the effects you are talking about in your thread.

     

     

    Good luck.

     

     


    Hello!

    Could you please be more specific on how this should/could be done?

     

    P.S.: Merry Christmas!

     

     


    VMware products can create files outside the VM's directory, but you can play with the tmpDirectory field to control that.

     

    However, the larger problem of the swap/pagefile containing traces of  your activity remains intact. This is an operating systems shortcoming,  not a VMware one.

     

     


    I haven't tried, but if you gave the VM 100% reservation of the memory  would it not create the swap file?  Thus securing the VM from the host  perspective?

     


    when you give th VM 100% reservation a zero byte sized swap file is created

     


    There are other traces left besides the swapfile

    There are traces in the different logs (vmkernel,hostd,...).

    Question is how easily these traces can be used.

     


    But those traces contain no data of what is in the VM.  So even a zero  byte swapfile is useless, because it has no data in it.  I would think  if you secure the guest os, turn of things like TPS and have no swap it  would be considered secure.  The only thing on top of that you could add  would be maybe encryption of the VMDKs, but that would add a  significant amount of overhead to the virtualization layer.

     


    But those traces contain no data of what is in the VM.

    only VMware knows, I guess

     

    So even a zero byte swapfile is useless, because
    it has no data in it.agree

    Yes, it will leave traces see my post  http://www.vmware.com/community/thread.jspa?threadID=70884&tstart=0

     

     

    then any dissent forensic will get you.

     

     


    Encryption of the VMDKs, suspend file, and configuration files has been  available in VMware ACE, since Dec 2004. You might want to look into  that if you're on the desktop, not the server.

     


    I know what you want to do but who exactly do you want to protect your  data from?  If it's law enforcement having a VM inside of an encrypted  drive might be sufficient.  If you're trying to protect things from the  government then all bets are off.

     

    If you want to hide porn from your parents it's easy. (Unless one of  your parents happens to work for the FBI forensics team or NSA data  recovery.)

     

     

    If you want to hide things from the law, it gets harder as they have  access to the FBI's forensic services.  The best you can do is get  everything encrypted and then run ENCASE on your own drives to see if  you can find anything.

     

     

    If you want to hide things from criminals then consider worst case they  have a black hat with the skills of the FBI's forensic lab.

     

     

    If you want to hide things from the NSA what the h@#$ are you doing in  the first place that would draw their attention and you should seal your  computers into an EM shielded room  (TEMPEST) with no outside  connections (Sniffing and intrusion) and have a block of thermite  setting on top of your drives with a panic button on you at all times  (NSA Data recovery that can get data off your drive no matter how many  times you overwrite it though it will drop the classification level of  the drive by one step.  Per their own directive for destruction of  classified material get an NSA approved degausser, yank your drive and  toss it in.  Note that those degaussers that don't require you to take  the platters out cost in the range of $30k+)  Even with all of that I  can't guarantee they won't get your data.

     

     

    If you want ideas look at the Common Criteria approved products list for  data encryption that's approved per NSTISSP No. 11 for use on  classified data.  I'd advise looking for EAL 4+ products.

     

     

    This document was generated from the following thread:

    vmware + truecrypt for fully encrypted windows OS?