VMware Cloud Community
ephillipsme
Enthusiast
Enthusiast
‎08-16-2011 11:18 AM
Jump to solution

Virtual Machine Encryption

All,

I have a client that is requesting Encryption at the virtual machine level. I was wondering what products are available and what users experience is.  The requirement is to have an end-to-end encryption of data. We are looking at the possibility of providing this at the virtual machine level to meet their requirement.

Ephillipsme

~Ernie
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎08-17-2011 06:15 AM
Jump to solution

Hello,

If you are using VMware ESX/ESXi then encryption within the VM (at the guest OS level) is the only option. Such as using BitLocker for windows, or TrueCrypt for other operating systems. Just be aware that both of these options store the keys in memory and any system administrator can gain access to memory at any time. So if you TRUST your admins this is a relatively safe operation.

If you are placing data in the cloud then look into Secure Cloud.

As of now, there is no third party encryption tool, nor is there any tool built into ESX/ESXi.

There exists NO tools to encrypt ESX/ESXi at the 'VM' level which is just below the guest operating system. VMware workstation has such capability but requires you to enter a key on boot and if you have lots of VMs this become extremely painful.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
4 Replies
vmroyale
Immortal
Immortal
‎08-16-2011 11:24 AM
Jump to solution

Hello.

Note: This discussion was moved from VMware ESX™ 4 to Security and Compliance.

Good Luck!

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
Texiwill
Leadership
Leadership
‎08-17-2011 06:15 AM
Jump to solution

Hello,

If you are using VMware ESX/ESXi then encryption within the VM (at the guest OS level) is the only option. Such as using BitLocker for windows, or TrueCrypt for other operating systems. Just be aware that both of these options store the keys in memory and any system administrator can gain access to memory at any time. So if you TRUST your admins this is a relatively safe operation.

If you are placing data in the cloud then look into Secure Cloud.

As of now, there is no third party encryption tool, nor is there any tool built into ESX/ESXi.

There exists NO tools to encrypt ESX/ESXi at the 'VM' level which is just below the guest operating system. VMware workstation has such capability but requires you to enter a key on boot and if you have lots of VMs this become extremely painful.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
ephillipsme
Enthusiast
Enthusiast
‎08-17-2011 06:51 AM
Jump to solution

Thanks,

I have some familiarity with BitLocker and there is a requirement at the server level to have a TPM chip on the systems board, and wondering if this translates to a VM as well?

Ephillipsme

~Ernie
0 Kudos
Texiwill
Leadership
Leadership
‎08-17-2011 06:55 AM
Jump to solution

Hello,

The reason a TPM is needed is due to the issues discussed, otherwise the encryption key data is in memory. I imagine it will still be required. However, unlike a TPM, there is currently no way to prevent a cached copy of the key being located within the VM.

Secure Cloud is your best hope as they scrub the memory after each use, but does not mean it is not read into memory at some point in time. They close attack window quite a bit.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos