disgust
Contributor
Contributor

vmware + truecrypt for fully encrypted windows OS?

started from thread on truecrypt forums: http://forums.truecrypt.org/viewtopic.php?p=22979

my question from there repeated for convenience:

if I do the following, will any traces be left on my machine at all?

create a truecrypt volume. mount it, and create a vmware partition for a new operating system on the truecrypt volume. if I boot up the vmware operating system (which only has access to the truecrypt section of the hard drive), would any traces of my activity be left behind? what about with the swap/page file in the native OS?

there responses seem to indicate "there's no way that'd work." is that accurate? can I configure vmware to do what I want? if so, how do I go about it?

0 Kudos
11 Replies
AMcCreath
Commander
Commander

Encrypting the VM volume is not really the answer here.

What you need to do is seal up the OS (inbound and outbound) within itself.

This will give you the self protecting layer you require.

Encrypting the vm volume will only stop other volumes/ hosts accessing it, not control the effects you are talking about in your thread.

Good luck.

0 Kudos
a_Lex
Contributor
Contributor

Hello!

Could you please be more specific on how this should/could be done?

P.S.: Merry Christmas!

0 Kudos
jchamcham
VMware Employee
VMware Employee

VMware products can create files outside the VM's directory, but you can play with the tmpDirectory field to control that.

However, the larger problem of the swap/pagefile containing traces of your activity remains intact. This is an operating systems shortcoming, not a VMware one.

0 Kudos
kix1979
Immortal
Immortal

I haven't tried, but if you gave the VM 100% reservation of the memory would it not create the swap file? Thus securing the VM from the host perspective?

Thomas H. Bryant III
0 Kudos
oreeh
Immortal
Immortal

when you give th VM 100% reservation a zero byte sized swap file is created

0 Kudos
oreeh
Immortal
Immortal

There are other traces left besides the swapfile

There are traces in the different logs (vmkernel,hostd,...).

Question is how easily these traces can be used.

0 Kudos
kix1979
Immortal
Immortal

But those traces contain no data of what is in the VM. So even a zero byte swapfile is useless, because it has no data in it. I would think if you secure the guest os, turn of things like TPS and have no swap it would be considered secure. The only thing on top of that you could add would be maybe encryption of the VMDKs, but that would add a significant amount of overhead to the virtualization layer.

Thomas H. Bryant III
0 Kudos
oreeh
Immortal
Immortal

But those traces contain no data of what is in the VM.

only VMware knows, I guess

So even a zero byte swapfile is useless, because

it has no data in it.

agree

0 Kudos
anotherbt
Contributor
Contributor

Yes, it will leave traces see my post http://www.vmware.com/community/thread.jspa?threadID=70884&tstart=0

then any dissent forensic will get you.

0 Kudos
jchamcham
VMware Employee
VMware Employee

Encryption of the VMDKs, suspend file, and configuration files has been available in VMware ACE, since Dec 2004. You might want to look into that if you're on the desktop, not the server.

0 Kudos
jasperbr
Contributor
Contributor

I know what you want to do but who exactly do you want to protect your data from? If it's law enforcement having a VM inside of an encrypted drive might be sufficient. If you're trying to protect things from the government then all bets are off.

If you want to hide porn from your parents it's easy. (Unless one of your parents happens to work for the FBI forensics team or NSA data recovery.)

If you want to hide things from the law, it gets harder as they have access to the FBI's forensic services. The best you can do is get everything encrypted and then run ENCASE on your own drives to see if you can find anything.

If you want to hide things from criminals then consider worst case they have a black hat with the skills of the FBI's forensic lab.

If you want to hide things from the NSA what the h@#$ are you doing in the first place that would draw their attention and you should seal your computers into an EM shielded room (TEMPEST) with no outside connections (Sniffing and intrusion) and have a block of thermite setting on top of your drives with a panic button on you at all times (NSA Data recovery that can get data off your drive no matter how many times you overwrite it though it will drop the classification level of the drive by one step. Per their own directive for destruction of classified material get an NSA approved degausser, yank your drive and toss it in. Note that those degaussers that don't require you to take the platters out cost in the range of $30k+) Even with all of that I can't guarantee they won't get your data.

If you want ideas look at the Common Criteria approved products list for data encryption that's approved per NSTISSP No. 11 for use on classified data. I'd advise looking for EAL 4+ products.

0 Kudos