All,
I have a client that is requesting Encryption at the virtual machine level. I was wondering what products are available and what users experience is. The requirement is to have an end-to-end encryption of data. We are looking at the possibility of providing this at the virtual machine level to meet their requirement.
Ephillipsme
Hello,
If you are using VMware ESX/ESXi then encryption within the VM (at the guest OS level) is the only option. Such as using BitLocker for windows, or TrueCrypt for other operating systems. Just be aware that both of these options store the keys in memory and any system administrator can gain access to memory at any time. So if you TRUST your admins this is a relatively safe operation.
If you are placing data in the cloud then look into Secure Cloud.
As of now, there is no third party encryption tool, nor is there any tool built into ESX/ESXi.
There exists NO tools to encrypt ESX/ESXi at the 'VM' level which is just below the guest operating system. VMware workstation has such capability but requires you to enter a key on boot and if you have lots of VMs this become extremely painful.
Best regards,
Edward L. Haletky
Communities Moderator, VMware vExpert,
Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition
Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf
Hello.
Note: This discussion was moved from VMware ESX™ 4 to Security and Compliance.
Good Luck!
Hello,
If you are using VMware ESX/ESXi then encryption within the VM (at the guest OS level) is the only option. Such as using BitLocker for windows, or TrueCrypt for other operating systems. Just be aware that both of these options store the keys in memory and any system administrator can gain access to memory at any time. So if you TRUST your admins this is a relatively safe operation.
If you are placing data in the cloud then look into Secure Cloud.
As of now, there is no third party encryption tool, nor is there any tool built into ESX/ESXi.
There exists NO tools to encrypt ESX/ESXi at the 'VM' level which is just below the guest operating system. VMware workstation has such capability but requires you to enter a key on boot and if you have lots of VMs this become extremely painful.
Best regards,
Edward L. Haletky
Communities Moderator, VMware vExpert,
Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition
Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf
Thanks,
I have some familiarity with BitLocker and there is a requirement at the server level to have a TPM chip on the systems board, and wondering if this translates to a VM as well?
Ephillipsme
Hello,
The reason a TPM is needed is due to the issues discussed, otherwise the encryption key data is in memory. I imagine it will still be required. However, unlike a TPM, there is currently no way to prevent a cached copy of the key being located within the VM.
Secure Cloud is your best hope as they scrub the memory after each use, but does not mean it is not read into memory at some point in time. They close attack window quite a bit.
Best regards,
Edward L. Haletky
Communities Moderator, VMware vExpert,
Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition
Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf