Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8557
  • Last Modified:

Supported disk encryption for VMware virtual machines

Hi all

I need to encrypt Windows VMs in a VMware environment at a host level. BitLocker is out as it's not supported by VMware. PGP appears to be problematic. TrueCrypt supports Windows Server 2003 and 2008 but not 2012, so that's problematic, but looks to be the best option so far. I can't encrypt at the hypervisor or storage layer.

Any suggestions as to what host-based encryption tool i can use that's fully supported in a VMware environment?
0
Duncan Meyers
Asked:
Duncan Meyers
  • 7
  • 4
  • 3
  • +1
1 Solution
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
So you are looking for a product which encrypts the vitual machine disks (VMDK) at Host, Hypervisor level?
0
 
Duncan MeyersAuthor Commented:
My bad. VM level or guest level.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I would opt for Truecrypt, when they release support for Windows 2012.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Duncan MeyersAuthor Commented:
Cool - but I need support for 2012 now unfortunately.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
We've had the same issues with many vendor led projects, that still do not have support for Windows 2012, and Windows 2012 R2, and the projects are on hold.
0
 
Duncan MeyersAuthor Commented:
Remind me again how long 2012's been out?  :-)
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes, I know it's disappointing....we've had several projects switch to VMware, because SAN support was not ready or buggy.
0
 
McKnifeCommented:
BL not supported by vmware? Which version of vmware and workstation/esxi...?
We use BL (2008/2012 servers) on ESXI 5/5.5 - no problems at all.
0
 
McKnifeCommented:
Please read carefully: VMWare says "As stated in the BitLocker Frequently Asked Questions (FAQ), Microsoft does not support the use of BitLocker within a virtual machine." while Microsoft says "BitLocker is not supported on bootable VHDs"

That is something completely different. Both vmware and you should think about what "booting from vhd" means. This is something totally different.

So MS does of course not say BL is not supported on VMs.
0
 
Duncan MeyersAuthor Commented:
I read it carefully. It says VMware does not support the use of BitLocker in virtual machines. I also read the Microsoft documents carefully and it doesn't specifically mention VMware at all and it probably is fine on the data drives. But I have a situation where the product has to be supported so VMware's statement rules BitLocker out - whether or not it works.
0
 
McKnifeCommented:
May I ask what vmware product you are using? And when or how should the encryption key provided?
0
 
Rich RumbleSecurity SamuraiCommented:
Have you tried it? Supported means a lot of things...typically it means no help for you if you use it and there is a problem. It does not mean it will not work..
Nonetheless, BL for a vm makes very little sense, as BL only protects the drive if it's physically stolen. To steal a VM you only need a snap shot, and once the OS is booted, you can take the snap shot of the live system and where ever you copy it, it will be a live system again when you open that snapshot. BL won't work (protect)in that case. It will if they power it down and try to reboot and it asks for a password they don't have.

I'm not understanding the use case for BL on vm, and I bet M$ and VmWare may be thinking the same thing. BL does work in VMware windows guests, I've not tried the full HDD encryption, but the BL-2-go stuff works just fine.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
Duncan MeyersAuthor Commented:
Whether or not it works is immaterial - this is in a corporate environment where the vendor's support statement explicitly rules the product out. There is no such statement for TrueCrypt If TrueCrypt supported 2012 I wouldn't have needed to ask this question.

The specific application here is all about shared storage disk encryption and how to protect data that may be on a failed disk. In this case, I can't encrypt at the storage level, I can't encrypt at the SAN and I can't encrypt at the hypervisor which only leaves me the VM.
0
 
Rich RumbleSecurity SamuraiCommented:
When the guest is running it's not encrypted, the OS looks like a "normal" OS, no extra boundary exists when using BL/TC/PGP until it's powered off.
You could use TC/BL/PGP to encrypt the container/folder the VMDk's are kept in. But using BL on the "inside" of the VM is probably incorrect, because when the OS is running it is essentially unencrypted until it loses power. Using it on the "outside" of the VM, to encrypt the disk image of the guest would be the same thing really, when that folder/partition/container is mounted the VMDK's are "plain-text" until that container is unmounted and the decryption key is no longer in memory. But the "outside" method would be more supported, as they are just files running inside folders. When those folders are umounted/closed the VMDK's can't be accessed.
I'm probably still misunderstanding.
-rich
0
 
Duncan MeyersAuthor Commented:
Looks like it's TrueCrypt or nowt, For 2012, it's nowt.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now