VMware Cloud Community
VMthinker
Contributor
Contributor

How to setup ESXi 4.1 Encryption?

Hi guys! I have been searching for an answer to various forms of Encryption for the ESXi 4.1 VM images but just couldn't find a official method to encrypt the disk!

So far I have only found out about using truecrypt to encrypt the entire VMware image operating system and using VMware ACE. However VMware ACE can only be used on Workstation!

Can anyone else offer any more methods and suggestions to encrypt the VM Images or vmdk I have stored into the ESXi Server in case someone steals/copies the image from the server through the vSphere or vCenter?

Thanks.

Tags (2)
Reply
0 Kudos
16 Replies
Dave_Mishchenko
Immortal
Immortal

Your post has been moved to the Security and vShield Zones forum.




Dave

VMware Communities User Moderator

Now available - vSphere Quick Start Guide

Do you have a system or PCI card working with VMDirectPath? Submit your specs to the Unofficial VMDirectPath HCL.

Reply
0 Kudos
VMthinker
Contributor
Contributor

Anyone has any ideas?....

Reply
0 Kudos
AntonVZhbankov
Immortal
Immortal

BitLocker or TrueCrypt.


---

MCITP: SA, MCTS Hyper-V, VCP 3/4, VMware vExpert

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda
Reply
0 Kudos
VMthinker
Contributor
Contributor

Are there any other ways without involving to encrypt the system of the VM Image itself? Perhaps ways of automatic encryption of the vmdk or configurations like how the VMware ACE implements it?

Thanks.

Reply
0 Kudos
schepp
Leadership
Leadership

Isn't encrypting all of your VMs much more complicated than securing your vSphere/vCenter access? And doesn't the encryption will lower your performance?

Regards

Reply
0 Kudos
VMthinker
Contributor
Contributor

If you do it as a whole I guess it wouldn't impact much performance on a network however security is our top piority right now.

We have a few scenarios whereby someone was given an sub Administrative level account and that person managed to copy a VM Image to actually implement it at their place. We are trying to mitigate such issues.

Does anyone know a 3rd Party Software or any VMware tools/software we could use? Thanks.

Reply
0 Kudos
oldManAround
Enthusiast
Enthusiast

If your concern is admins coming in through the front door (vCenter or vCLI) to use your VM's in unintended ways, then I know of no encryption option which you can leverage at a VMDK level. In any case, the encryption would simply mitigate the risk after your VM's have already gone wild. Presumably, however, the true goal is to prevent the VM's from leaving in the first place.

For that, probably your best strategy would be to (1) focus on avoidance through tighter access controls and applying the "least privilege" principle; and (2) monitoring all activities in your VMware infrastructure (or, ideally, your entire environment) to help detect unintended and unwanted events that occur.

Full disclosure: I work for this vendor. But RSA enVision is one such tool that can pick up all of the activities from vCenter and your VI hosts and provide reporting, real-time alerting, and after-the-fact forensics capabilities. Clone event? Alert. Copy from datastore? Alert. Mounted a physical DVD drive or USB stick to a VM? Alert.

~

If you're also concerned about side-channel attacks through the storage infrastructure itself, then there are a great many non-VMDK-aware block-level encryption options available through the SAN/storage vendors. You might also take a peek at AFORE Solutions' encryption capabilities for VMware environments.

--

Justin Lute

EMC, Senior vSpecialist

-- Justin Lute justin.lute@vce.com | www.vce.com @oldmanaround | www.oldmanaround.com
Texiwill
Leadership
Leadership

Hello,

Neither ESX nor ESXi provide a mechanism to encrypt the VMDKs from within the hypervisor.

You can encrypt data at rest using encrypting fabric switches or encrypting storage arrays and pre-processors to the array such as a Decru device....

You can encrypt the VMDK using BItLocker or TrueCrypt but please realize that if you are trying to protect from the Administrator, any Administrator can find those keys and use them to decrypt the disk at a later time as they are stored in the VMs memory or on a special partition of the VMDK....  Given this, if you want to encrypt a disk you need to use a Key only you know and type in every time you want to access the VMDK from the Guest OS..... One time entry is still discoverable....

There are a number of possibilities, but alas, they require tools not yet available such as Encrypted Memory, virtual TPM devices, etc.

The best method forward is to use tools like HyTrust and one of the other security Catbird, Reflex Systems, etc. to ensure you have an audit path for all access by administrators to ESX or ESXi host either direct access via SSH, or via vSphere Client.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
VMthinker
Contributor
Contributor

Since there is no clear concept of Virtualization encryption thus there is no solid answer available until a formal encryption product is made available.

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

The concept is clear actually... But the security of it is not.... There are two current concepts for encrypting a VM....

1) From Without such as the way Workstation 7 does it (in effect TrueCrypt with a single factor password)... Not useful for servers that autoreboot or may due to HA... Multifactors or use of TPM/TXT devices would be better (hence the need for virtual TPM)

2) From Within the VM using whatever the Guest OS supplies... But this is possibly decryptable.....

Concepts exist, tools need to catch up however... Most people currently use option 2 and have TRUST in their admins.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
CrytpoGuy
Contributor
Contributor

Another way to look at this is from a threat perspective.

If major threat is losing a disk drive containing sensitive data, then encrypting a storage array (NetApp/Decru, Brocade, etc) provides a way forward and allows you to tick the checkbox that it is encrypted.  However, storage-level encryption does little to mitigate the insider threat – an authorized user could still access the VM data.

If the concern is both the outsider and insider threat (e.g. an admin coming in via vCenter or vCLI and walking away with a VMDK containing sensitive data), a monitoring solution like RSA EnVision provides a deterrent that provides notification after-the-fact (but would not stop a breach from occurring). 

A solution like BitLocker or TruCrypt will encrypt data within the VM but pose “separation of duties” challenges.  As pointed out above, an admin could access the encryption keys and walk away with clear text data from the VM. This is a challenge in volume-focused encryption.

Another challenge from the volume-oriented technologies comes in terms of interoperability when your VMs need to share data securely.  Suppose I have several VMs that mount a common set of volumes from a Storage Area Network (SAN).  Suppose I also want to have each of those VMs encrypt & decrypt data while they share that data.  With a centrally managed solution, I must be able to make sure that encryption keys are safely and securely provisioned for each existing and upcoming VM, when that VM needs to mount that SAN volume.

There are file-level encryption solutions that operate within the VM to encrypt specified files folders or files and govern access by file/user/process.  This approach is more granular than encrypting an entire storage volume, enables interoperability (multiple VMs hitting the same SAN volume) and can provide necessary auditing/reporting to enforce separation of duties.  This sort of solution offers the potential to block compromises where the monitoring solutions would report after-the-fact.  One encryption vendor providing file-level encryption is Vormetric. 

Full Disclosure: I work for Vormetric  which provides a file-level encryption solution.

The right solution depends on the threat you want to protect against and the bells and whistles (access control & separation of duties, reporting, OS support for Linux/Unix/Windows, encryption key management functionality, file vs volume encryption, etc) you need to provide that protection.

TAT

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

THe problem is not that you cannot use in-VM encryption tools, you probably should. But that in doing so you need to fully understand the level of trust in your administrator.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
CrytpoGuy
Contributor
Contributor

Edward,

I completely agree.  You do need to verify the level of trust within your administrators.  Like physical environments, a defense-in-depth strategy provides the optimal approach.  Virtualization presents special challenges because both the data and the VMware image environments that access that data are so portable.  A strong, in-VM approach still complements all the application and network controls that logically overlay the rapidly provisioned virtual machines and can help absolve your administrators from compromising the underlying data.

Todd

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

CryptoGuy wrote:

... A strong, in-VM approach still complements all the application and network controls that logically overlay the rapidly provisioned virtual machines and can help absolve your administrators from compromising the underlying data.

Actually, that is not always the case, a virtualization administrator can compromise the underlying data of any VM if they want to do so. Yes it is not a trivial excersize but it is one that can be done. In 'VM' encryption, implies the encryption keys are in the VM's memory somewhere, since that is the case, an Admin can always get access to that memory.  Given the memory and the disk any in-VM encryption can be broken.

However, in-VM encryption is still necessary and once VMware encrypts memory, then the administrators can be absolved completely. As it is now, you still need to trust them as well as your backup administrators as 'snapshots' often drop memory images as well and then they get backed up, depending on the tool of course. So currently I still cannot 100% absolve my virtualization and backup administrators.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
Coppage
Contributor
Contributor

Is there a way to encrypt the host file system of the ESXi host server? I did a search for ESXi 4.1 encryption because I was interested in whether or not it was possible to encrypt the whole file system for the host server regardless of whether of what's done inside of the VM's or any remote storage.

Thanks.

Reply
0 Kudos
Josh26
Virtuoso
Virtuoso

Hi,

The 12 month old thread you replied to is still up to date in regards to this - there is no current way to encrypt a host disk.

Reply
0 Kudos