There are very few things that Microsoft won't pass the buck on in a VMware environment, so I don't usually take those arguments too seriously.

However, Bitlocker only effectively works with a TPM, which is a hardware device, and I have never seen a method of passing that through to a VM. So no, you won't be able to use Bitlocker in a VM.

Are you sure this is a HIPAA requirement? I have never reviewed those requirements myself, but I have numerous medical clients and I've always told by them not to bother worrying about this sort of thing.

Bitlocker is not supported;

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=203614...

But, seems that it can be done ...

http://www.christowles.com/2010/10/how-to-encrypt-vmware-vm-running.html

Jon Munday wrote:

But, seems that it can be done ...

http://www.christowles.com/2010/10/how-to-encrypt-vmware-vm-running.html

Just because it can be done doesn't mean it works.

If you "encrypt" a VM, then store the keys on that VM, such that it will boot seamlessly when a thief loads a Windows password reset disk, then all you have is theatre security - encryption for the sake of encryption.

Agreed, and I'm not endosing this either ... just sharing what others have done.

Regardless what solution you choose, policy will need to be a part of it. If the volumes where the documents are stored are encrypted, but users can copy content or the files themselves to an insecure end user device, then it is obviously no longer encrypted. You could also encrypt end user devices but ultimately a no copy policy is needed.

I recommend encryption of the SAN volumes themselves if possible. This prevents someone from walking off with the physical drives and be able to still access the VM that has the encryption software running within it. Also avoids issues with encryption software with guest OS potentially causing problems with the VM being stable or available to serve up the files.

I was really hoping for a solution that would allow me to encrypt VM virtual disks so I can keep it isolated to certain volumes.

Windows has builtin file/folder/disk encryption. You just open the properties for what you want to encrypt. Click the Advanced button and then tick "Encrypt contents to secure data". Windows will then perform the encryption and you are good to go. The encryption is transparent from that point on.

This is a simplified overview and you will definitely need to read up on how to set it up properly. The encryption is based on user certificates so you need to have that configured in your domain so that users can access the information and so that the administrator can always recover information.

I don't have too much experience with HIPPA requirements.  Similar to contruction workers with OSHA.

I belive you will need to get a lot more details before you can make a decision.  As the person above me said, the handling of the keys is paramount.

Although, details are not always out in the open so to speak.  If all you need to do is "encrypt those files", the easiest way to satisfy such a request - with the least admin overhead - would be using Windows file encryption (right click, encrypt).

Then you will probably have to pick a solution that makes use of encryption within the guest OS.  Might be solutions out there that can encrypt individual vmdk files without guest OS involvement but that would have to be something that is installed within ESX itself.  Whatever the solution, if it is too easy to decrypt or access those files and users can easily decrypt or copy the files out of the encrypted source with or without realizing it, then you have only security theater.

I guess the first step is to figure out exactly what you want/need to do under HIPPA. I'm not familiar with it myself.

Do you need to secure in case the server is stolen?

Do you need to secure in case a server disk is stolen or has to be removed?

Do you need to secure your backups?

Do you need to restrict which users can access files?

Do you need to prevent users from taking files from the system (i.e. copying to a USB drive)?

Do you need to to prevent or secure documents being transmitted outside of your system (i.e. document is sent via email)?

Do you need to secure against malicious insiders?

Only then can you design an appropriate protection scheme. For example, encrypting the files on the server is useless if you need to prevent outside parties from being able to open documents (i.e. once someone copies a document off the encrypted server to their computer or USB, all protection is lost).

You might need to encrypt the entire server, only encrypt certain files/folders/volumes, or you might need to protect the individual documents.

BitLocker might work but I'm not sure about what effect the lack of hardware TPM in the VM will have. I think there are ways around this those, such as if you use a PIN to 'unlock' the system at boot. This is probably the easiest option since after bootup Windows acts completely normally and you don't have to make any other changes. The fact that it's not support by VMware or Microsoft means that you probably can't use it thought. If there are ever any problems you won't get any help, and that is a very bad place to be when you are in trouble!

Using TrueCrypt could work as it would encrypt an entire partition, and after the partition is mounted Windows will treat it like any normal disk and users would be able to access documents as normal. Just make sure the password is stored safely so it is never lost.

Windows builtin encryption is a bit trickier, since each document is encrypted using certificates. A user must have a valid certificate (for that document) in order to open the document. You would need to read up on how to setup all this. The most important point is to have a "recovery agent" and to safely store a copy of its certificate (i.e. if Administrator is the recovery agent, then you need to export his certificate and store it on a USB or CD in a safe). If no valid certificate is available, then the files are forever unrecoverable. This can happen if say the server dies and you don't have a backup of the Windows installation.

To protect documents once they leave your system you would need to use the encryption builtin to each program. Microsoft Word/Excel/Emails and Adobe Acrobat offer builtin encryption and password protection, but you need to apply it to each document which makes it very difficult to manage. A better solution is to use Windows Rights Management Server or Adobe LiveCycle Server. Both of these products offer centrally-managed security policies for Word/Excel/Emails or Acrobat which makes it much easier to manage in a large scale environment.

One last thing, when you say "server" do you mean a specific Windows VM, or do you mean then ESXi host? Applying encryption to the entire host and VMDK files will probably be a nightmare, and I'm not aware of any way to do it. I think your only option is to encrypt from within the guest VMs(s).

You can also use HighCloud to encrypt individual disks or the whole VM. We operate below the hypervisor and within the VM. The solution is free for up to 5 VMs.

For more information see www.highcloudsecurity.com - we also have a paper on using HighCloud in HIPAA environments in our collateral section. Go to Resources -> Collateral

Disclaimer - I work for HighCloud