VMware Communities
gsmalter
Contributor
Contributor
‎09-20-2012 05:18 AM

Encryption alternatives

I want to encrypt a MacBook Pro that I run Windows on using VMWare Fusion 5 (the consumer version, unless I see a reason to get the new business version). There are three approaches that I'm aware of:

1) Use FileVault to encrypt basically the whole MacBook.

2) Use VMWare's enable encryption feature on the VM itself.

3) Use BitLocker on the guest Windows operating system.

Choice 3 doesn't seem to make a whole lot of sense since 2 is probably just as secure and simpler. Choice 1 is the most attractive because I'm not just encrypting the VM, so the answer to the question "is your laptop encrypted" is simpler and definitive. But, I recently read that encrypting the host OS is not recommended for performance reasons.

I didn't learn about Choice 2 until recently, but it is evidently the most supported option and it's the recommendation I expect to receive in the VMware community, I suppose. What are the performance implications of enabling encryption on the VM itself? How do these compare to the performance implications of Choice 1? I guess I'm having a hard time understanding how they could be very different.

I'm not sure if it matters, but the MacBook with have an SSD. Thanks.

Tags (1)
0 Kudos
4 Replies
continuum
Immortal
Immortal
‎09-20-2012 09:03 AM

> I didn't learn about Choice 2 until recently, but it is evidently the  most supported option and it's the recommendation I expect to receive in  the VMware community, I suppose.

After trying to repair broken encrypted VMs several times I tell all my customers NOT to use VMware encrypted VMs unless
- you regard the data inside the VM as expendable
- you use one piece preallocated vmdks
- you create daily backups of the vmx-file

I would use your option 1


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

ColoradoMarmot
Champion
Champion
‎09-20-2012 09:15 AM

3 isn't secure because the virtual memory file is written unencrypted.  1 is hands-down the best option.  Very very little performance hit, and it just works.

Make sure you have a good backup of the disk before encrypting, and write down your recovery key when it's provided.

gsmalter
Contributor
Contributor
‎11-24-2012 01:44 PM

Option 1 is what I ended up doing. It works great and I have no performance issues related to this. Thanks.

0 Kudos
Table23
Contributor
Contributor
‎11-25-2012 06:23 AM

I use option 1 (Mac OS FileVault to encrypt basically the whole MacBook) w/o problems.

0 Kudos