Solved

Supported disk encryption for VMware virtual machines

Posted on 2014-02-06
16
7,681 Views
Last Modified: 2014-02-18
Hi all

I need to encrypt Windows VMs in a VMware environment at a host level. BitLocker is out as it's not supported by VMware. PGP appears to be problematic. TrueCrypt supports Windows Server 2003 and 2008 but not 2012, so that's problematic, but looks to be the best option so far. I can't encrypt at the hypervisor or storage layer.

Any suggestions as to what host-based encryption tool i can use that's fully supported in a VMware environment?
0
Comment
Question by:Duncan Meyers
  • 7
  • 4
  • 3
  • +1
16 Comments
 
LVL 117
ID: 39841179
So you are looking for a product which encrypts the vitual machine disks (VMDK) at Host, Hypervisor level?
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841220
My bad. VM level or guest level.
0
 
LVL 117
ID: 39841296
I would opt for Truecrypt, when they release support for Windows 2012.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841301
Cool - but I need support for 2012 now unfortunately.
0
 
LVL 117
ID: 39841327
We've had the same issues with many vendor led projects, that still do not have support for Windows 2012, and Windows 2012 R2, and the projects are on hold.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841365
Remind me again how long 2012's been out?  :-)
0
 
LVL 117
ID: 39841408
Yes, I know it's disappointing....we've had several projects switch to VMware, because SAN support was not ready or buggy.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39841483
BL not supported by vmware? Which version of vmware and workstation/esxi...?
We use BL (2008/2012 servers) on ESXI 5/5.5 - no problems at all.
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841513
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39841557
Please read carefully: VMWare says "As stated in the BitLocker Frequently Asked Questions (FAQ), Microsoft does not support the use of BitLocker within a virtual machine." while Microsoft says "BitLocker is not supported on bootable VHDs"

That is something completely different. Both vmware and you should think about what "booting from vhd" means. This is something totally different.

So MS does of course not say BL is not supported on VMs.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39843163
I read it carefully. It says VMware does not support the use of BitLocker in virtual machines. I also read the Microsoft documents carefully and it doesn't specifically mention VMware at all and it probably is fine on the data drives. But I have a situation where the product has to be supported so VMware's statement rules BitLocker out - whether or not it works.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39843355
May I ask what vmware product you are using? And when or how should the encryption key provided?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844092
Have you tried it? Supported means a lot of things...typically it means no help for you if you use it and there is a problem. It does not mean it will not work..
Nonetheless, BL for a vm makes very little sense, as BL only protects the drive if it's physically stolen. To steal a VM you only need a snap shot, and once the OS is booted, you can take the snap shot of the live system and where ever you copy it, it will be a live system again when you open that snapshot. BL won't work (protect)in that case. It will if they power it down and try to reboot and it asks for a password they don't have.

I'm not understanding the use case for BL on vm, and I bet M$ and VmWare may be thinking the same thing. BL does work in VMware windows guests, I've not tried the full HDD encryption, but the BL-2-go stuff works just fine.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 30

Accepted Solution

by:
Duncan Meyers earned 0 total points
ID: 39844714
Whether or not it works is immaterial - this is in a corporate environment where the vendor's support statement explicitly rules the product out. There is no such statement for TrueCrypt If TrueCrypt supported 2012 I wouldn't have needed to ask this question.

The specific application here is all about shared storage disk encryption and how to protect data that may be on a failed disk. In this case, I can't encrypt at the storage level, I can't encrypt at the SAN and I can't encrypt at the hypervisor which only leaves me the VM.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844729
When the guest is running it's not encrypted, the OS looks like a "normal" OS, no extra boundary exists when using BL/TC/PGP until it's powered off.
You could use TC/BL/PGP to encrypt the container/folder the VMDk's are kept in. But using BL on the "inside" of the VM is probably incorrect, because when the OS is running it is essentially unencrypted until it loses power. Using it on the "outside" of the VM, to encrypt the disk image of the guest would be the same thing really, when that folder/partition/container is mounted the VMDK's are "plain-text" until that container is unmounted and the decryption key is no longer in memory. But the "outside" method would be more supported, as they are just files running inside folders. When those folders are umounted/closed the VMDK's can't be accessed.
I'm probably still misunderstanding.
-rich
0
 
LVL 30

Author Closing Comment

by:Duncan Meyers
ID: 39866925
Looks like it's TrueCrypt or nowt, For 2012, it's nowt.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

Will try to explain how to use the VMware feature TAGs in the VMs and create Veeam Backup Jobs using TAGs. Since this article is too long, I will create second article for the Veeam tasks.
This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now