ralish
Enthusiast
Enthusiast

Encryption in ESX(i)

Jump to solution

I was looking at the Hyper-V Server 2008 featureset over the last week and it seems to me that ESX has the far superior and more mature featureset, matching or beating Hyper-V almost across the board. However, there was one particular feature of Hyper-V that caught my eye: encryption. Hyper-V, both in Hyper-V Server 2008 and as a server role in Windows Server 2008 has support for BitLocker, enabling full system encryption at the host level. To my knowledge, VMware does not offer any sort of encryption solution on its ESX products. I'm almost certain it would be next to impossible on ESXi due to the stripped down nature of the embedded installation. I've never used ESX, so I can't comment with any real authority, except to say you'd be looking at some sort of 3rd party solution? Would encryption of the service console with something like TrueCrypt encrypt all VM's, or just the service console files?

As it stands on ESXi (and probably ESX), encryption must be tackled at the VM level, possibly using multiple different solutions, e.g. TrueCrypt on Windows, dm_crypt on Linux, and something different on Solaris. This is a potential managability issue, and a performance one as well.

Can any VMware employees comment on this? For those of us with a high degree of security in mind who wish to persue encryption, what are our best options (I'm using ESXi, but ESX is also relevant)? Are there any feasible options for encryption at the bare-metal level, negating the need for individual encryption solutions per VM?

Thanks for any input!

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership

Hello,

To my knowledge, VMware does not offer any sort of encryption solution on its ESX products. I'm almost certain it would be next to impossible on ESXi due to the stripped down nature of the embedded installation.

COrrect. But it has nothing to do with the stripped down nature of ESXi. Encryption is left up to the VM's GUest OS.

I've never used ESX, so I can't comment with any real authority, except to say you'd be looking at some sort of 3rd party solution? Would encryption of the service console with something like TrueCrypt encrypt all VM's, or just the service console files?

I would NOT do this. You would end up adding in drivers to the SC that are unsupported and cause your support/warranty to become NULL and VOID.

To make this work you would need to replace the VMFS3 module with an encrypted-VMFS3 module as well as add things into the vmkernel and the management appliance.

As it stands on ESXi (and probably ESX), encryption must be tackled at the VM level, possibly using multiple different solutions, e.g. TrueCrypt on Windows, dm_crypt on Linux, and something different on Solaris. This is a potential managability issue, and a performance one as well.

This is correct.

Can any VMware employees comment on this? For those of us with a high degree of security in mind who wish to persue encryption, what are our best options (I'm using ESXi, but ESX is also relevant)? Are there any feasible options for encryption at the bare-metal level, negating the need for individual encryption solutions per VM?

I am not a VMware Employee but there are no feasible options at this time. There may be at the future. VMware does not comment on the future very much however. I am not sure the performance of bare-metal encryption would be much better than within a VM. Mainly because there is no real hardware assist capability. With the vStorage API being opened up, I would not be surprised if there was some movement of this in the future from 3rd parties.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
17 Replies
Dave_Mishchenko
Immortal
Immortal

Your post has been moved to the Security and Compliance forum.

Dave Mishchenko

VMware Communities User Moderator

0 Kudos
Texiwill
Leadership
Leadership

Hello,

To my knowledge, VMware does not offer any sort of encryption solution on its ESX products. I'm almost certain it would be next to impossible on ESXi due to the stripped down nature of the embedded installation.

COrrect. But it has nothing to do with the stripped down nature of ESXi. Encryption is left up to the VM's GUest OS.

I've never used ESX, so I can't comment with any real authority, except to say you'd be looking at some sort of 3rd party solution? Would encryption of the service console with something like TrueCrypt encrypt all VM's, or just the service console files?

I would NOT do this. You would end up adding in drivers to the SC that are unsupported and cause your support/warranty to become NULL and VOID.

To make this work you would need to replace the VMFS3 module with an encrypted-VMFS3 module as well as add things into the vmkernel and the management appliance.

As it stands on ESXi (and probably ESX), encryption must be tackled at the VM level, possibly using multiple different solutions, e.g. TrueCrypt on Windows, dm_crypt on Linux, and something different on Solaris. This is a potential managability issue, and a performance one as well.

This is correct.

Can any VMware employees comment on this? For those of us with a high degree of security in mind who wish to persue encryption, what are our best options (I'm using ESXi, but ESX is also relevant)? Are there any feasible options for encryption at the bare-metal level, negating the need for individual encryption solutions per VM?

I am not a VMware Employee but there are no feasible options at this time. There may be at the future. VMware does not comment on the future very much however. I am not sure the performance of bare-metal encryption would be much better than within a VM. Mainly because there is no real hardware assist capability. With the vStorage API being opened up, I would not be surprised if there was some movement of this in the future from 3rd parties.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
admin
Immortal
Immortal

It is true that we currently don't have any native capabilities for encyption and I can't really talk about our future plans on a public forum like this. One other option is the use of SAN based encryption solutions like Decru (now NetApp).

joeb881
Contributor
Contributor

Is any information about the state of the machine (eg memory contents) saved to disk other than through the os ? If its not - ie if virtual machine pauses are done through hibernation in windows for example then truecrypt can handle safely saving the memory encrypted to disk. However if the memory is written to disk outside of the os control then it seems it would be unencrypted and defeats the purpose of using encryption inside the vm.

0 Kudos
Texiwill
Leadership
Leadership

Hello,

Is any information about the state of the machine (eg memory contents) saved to disk other than through the os ? If its not - ie if virtual machine pauses are done through hibernation in windows for example then truecrypt can handle safely saving the memory encrypted to disk. However if the memory is written to disk outside of the os control then it seems it would be unencrypted and defeats the purpose of using encryption inside the vm.

Actions outside the GUestOS control:

  • memory swapping by the hypervisor, uses the .vswp file on the VMFS (you can prevent this by setting resource constraints)

  • snapshot taking a memory image. uses a file on the VMFS (you have to be sure not to check the dump memory checkbox)

  • Suspending a VM creates the .vmss memory image file on the VMFS (never suspend a VM)

  • using tools such as vm-support will also drop a VM memory image (only by an Administrator)

  • several other items, like sending a signal to the VM to drop its memory image (only by an Administrator)

So encrypted VMFS, these files can be read by an Administrator, but in general no one else. So your trust has to be in an administrator.

Workstation 7 has the first Encrypted Disk container but I do not believe it encrypts the memory files.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
joeb881
Contributor
Contributor

First thanks for such a quick detailed response.

If my threat model is the 'lost laptop' cold boot model and the administrator holds the guest encryption key anyway then it seems that you are almost saying I can have that as secure as the encryption is of the guest os itself (I am not worrying about hacking the guest os when live as I assume is easier than hacking to administrator privledges on esxi when the guest is live).

The unresolved issues seem to be:

Can I disable suspending a vm so I dont do it by accident and now have unencrypted memory on disk ?

several other items..: are these things that can only be done on purpose or accident by an administrator (or hacker) when live?

0 Kudos
Texiwill
Leadership
Leadership

Hello,

I do not currently know of a way to disable Suspend of a Guest in any VMware product.

Many things can be done by a hacker or administrator when the VM is runnign to get disk and memory of the VM as well as network traffic. In a Type 2 hypervisor such as a 'Laptop' this is very easy. For a ESX/ESXi host this is more difficult.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
hayb
Contributor
Contributor

I successfully tested McAfee's Safeboot with a Windows XP guest on ESXi, and Workstation and had completely functionality, with centralized management for Safeboot. I believe this is now a part of Epo.

In the process, I found that the size of the encrypted drive in total becomes the size of the used storage P2V, and the same when going an unencrypted-encrypted.

Much of what you are mentioning in the rest of your post is more regarding encrypted storage used by the ESXi system. There are many vendors offering encrypted storage hardware.

Also, you can do something like this.

ESXi -


Switch-----iSCSI Target (Encrypted).

0 Kudos
Texiwill
Leadership
Leadership

Hello,

The issue is that the the 'storage' is not encrypted until it is at rest or hits the encrypted storage hardware. Anytime from the VM til that is a possible area of weakness. An 'Administrator' could actually gain the necessary access. Check out the latest Virtualization Security Round Table Podcast for more on this.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
hayb
Contributor
Contributor

The problem the OP described is: can i obtain bitlocker equivalent encryption using VMware, either natively or via third party products.

The answer is yes, via 3rd party vendors.

Asking whether the data in transit in encrypted always is fundamentally a different question.

0 Kudos
clavelstephane
Enthusiast
Enthusiast

Hayb,

You wrote "There are many vendors offering encrypted storage hardware.". May you please share some ?

thanks

0 Kudos
Texiwill
Leadership
Leadership

Hello,

For Laptops/Desktops there are several encrypted 'disks' available from the major manufacturers.

For ESX/ESXi nearly every vendor has some form or encryption. Check out products by Brocade, Netapp (vFiler/Decru/etc.), and others.

The key however, is that until the data is at rest, the data can be intercepted/transformed. Also, note that with SVMotion, etc. is data ever really at rest? Do you really know where it lives?

If you encrypt within a VM, without the use of a hardware encryption module, then it is decryptable... Yes it is time consuming but possible.

So it is really important to not divorce yourself form the Data in Motion discussion within ESX/ESXi when talking about encrypting data at rest.

Within the Type 2 hypervisor however it is really moot.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
encryption
Contributor
Contributor

Check Vormetric out. They have encryption, access control and key management for VMware hosts and storage: http://www.vormetric.com

In the event someone copies the VM on a USB drive and boots it up elsewhere, the VM won't appropriately sign back in with the security appliance that holds all the keys and therefore won't work (access controls). And will remain encrypted. Hope that helps.

Message was edited by: Texiwill -- Posted by Vormetric Employee

0 Kudos
Texiwill
Leadership
Leadership

Hello,

How does this protect you if all you want to do is 'access' the drive, I.e. mount it? If its encrypted, then a brute force attack will work.

The ideal solution is require a encrypted USB stick that does not allow you to just mount the VMDK directly.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
encryption
Contributor
Contributor

I don't believe a brute force attack can break AES encryption.

Full Disclocure: I work for Vormetric.

0 Kudos
Texiwill
Leadership
Leadership

Hello,

You really should listen to the Forensics discussion on the Virtualization Security Podcast. If the VM is runnign on a laptop for example or even within vSphere the keys are generally stored IN Memory because there is no hardware equivalent. The attack is possible and would take far less time than you state. So instead of owning the USB key the attack would be to own the host on which the VM is running. THat is the real risk.

My statement is that encrypting within the VM is dangerous, encryption within hardware less so..... So do it in hardware if at all possible.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
hayb
Contributor
Contributor

Texiwill is correct.

If you want higher security, you'll want to move into hardware, USB, fortezza, smartcards, direct interface to an HSM. You can obtain HSMs that are usable over the network for a VM too, which is less.

Barring that, you can do encrypted hard drives + full disk + overlapping encryption. I've successfully used full disk encryption + EFS + truecrypt, all on one box with fairly minimal performance impacts for a desktop.

Full disk encryption without preboot authentication can be a tough nut to crack, but difficult for operations unless you have high uptime.

0 Kudos