VMware Cloud Community
snowdog_2112
Enthusiast
Enthusiast
‎10-05-2012 01:45 PM

vcenter 5, windows 2008r2, bitlocker - where to store the key

I've read many posts on the "how to" encrypt a vmdk using bitlocker.

My question is:  what do you do with the USB/FLP disk after the disk is encrypted?

It seems rather pointless to have a USB disk tied to a VM or a .flp in the vmx to allow the VM to boot.  The concern is physical theft of the host and storage.  That is, assume the physical server and storage is stolen.  The envcrypted VM's will boot up for the bad guy because the USB stick is still attached or the .flp is in the same storage.

Looking for options - encryption with BIOS (either host or VM-BIOS) password boot?

Thoughts?  Thanks!

0 Kudos
2 Replies
djet
Enthusiast
Enthusiast
‎10-31-2012 03:41 PM

I think the strategy is making the key media inaccessible over space or time.

You can't relocate the USB stick but you trick with floppy images.

a) Place them on a datastore that won't be accessible to thiefs if the servers or storage get stolen.

This distinct datastore is a point of failure so you must ensure of the availability of this datastore.

b) Make images inaccessible by schedule.

You can automate the process so that images are only copied and mounted only when needed to boot guest OS. As soon as guest boots the images get unmounted and purged.

The drawback is the automation process (the system should sense somehow when to copy+mount/unmount+purge images).

0 Kudos
sdpate
Contributor
Contributor
‎05-06-2013 02:29 PM

You can also use HighCloud to encrypt individual disks (Windows and Linux) or the whole VM. We operate below the hypervisor and within the VM. The solution is free for up to 5 VMs. The first key manager is free!

For more information see www.highcloudsecurity.com

Disclaimer - I work for HighCloud

0 Kudos