Which one is best, host or guest encryption?

tauqeerahmad · ‎06-23-2013

Hi folks,

Can anyone please tell me which option is better, I mean whether I should encrypt my data at virtual machine level or guest level? I tried to investigate it but did not find best solution so i thought to start discussion here. Actually I was to protect my guest data but I am not sure what are the possible pros and cons if I apply encryption at one these two options.

It might have nothing to do with practical implementation but it will give us idea about problems that can happen. So to summarize the discussion:

What are the possible pros and cons while implementing encryption at virtual machine or host level?

Any help in this regard will highly be appreciated.

BR,

Tauqeer

admin · ‎06-23-2013

One thing to keep in mind is that since the virtual machine is running as a process in the host machine, the host can inspect arbitrary portions of the guest's memory. This means that no matter what encryption system you use, the host can extract the keys as long as the guest can read the files. There is no way to secure a guest OS from the host. The only way around this is to keep the host OS in a trusted state (i.e. don't let unauthorized software run, don't install updates, etc.) and to shut down the guest rather than suspend it every time they're done. When you suspend a guest, VMware writes its memory to the host's hard drive, potentially including any encryption keys for folders. That shouldn't happen if you shut down. It doesn't protect you from an online attack (one carried out when the system is running, not strictly one over the Internet), but it should prevent a thief with physical access from getting at the records.

ColoradoMarmot · ‎06-25-2013

Host - hands down, especially on a Mac with FileVault 2. The use cases for encrypted VM's are there, but as noted, a compromised host can result in access to the VM.

All

Which one is best, host or guest encryption?