Solved

Supported disk encryption for VMware virtual machines

Posted on 2014-02-06
16
7,899 Views
Last Modified: 2014-02-18
Hi all

I need to encrypt Windows VMs in a VMware environment at a host level. BitLocker is out as it's not supported by VMware. PGP appears to be problematic. TrueCrypt supports Windows Server 2003 and 2008 but not 2012, so that's problematic, but looks to be the best option so far. I can't encrypt at the hypervisor or storage layer.

Any suggestions as to what host-based encryption tool i can use that's fully supported in a VMware environment?
0
Comment
Question by:Duncan Meyers
  • 7
  • 4
  • 3
  • +1
16 Comments
 
LVL 119
ID: 39841179
So you are looking for a product which encrypts the vitual machine disks (VMDK) at Host, Hypervisor level?
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841220
My bad. VM level or guest level.
0
 
LVL 119
ID: 39841296
I would opt for Truecrypt, when they release support for Windows 2012.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841301
Cool - but I need support for 2012 now unfortunately.
0
 
LVL 119
ID: 39841327
We've had the same issues with many vendor led projects, that still do not have support for Windows 2012, and Windows 2012 R2, and the projects are on hold.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841365
Remind me again how long 2012's been out?  :-)
0
 
LVL 119
ID: 39841408
Yes, I know it's disappointing....we've had several projects switch to VMware, because SAN support was not ready or buggy.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39841483
BL not supported by vmware? Which version of vmware and workstation/esxi...?
We use BL (2008/2012 servers) on ESXI 5/5.5 - no problems at all.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841513
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39841557
Please read carefully: VMWare says "As stated in the BitLocker Frequently Asked Questions (FAQ), Microsoft does not support the use of BitLocker within a virtual machine." while Microsoft says "BitLocker is not supported on bootable VHDs"

That is something completely different. Both vmware and you should think about what "booting from vhd" means. This is something totally different.

So MS does of course not say BL is not supported on VMs.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39843163
I read it carefully. It says VMware does not support the use of BitLocker in virtual machines. I also read the Microsoft documents carefully and it doesn't specifically mention VMware at all and it probably is fine on the data drives. But I have a situation where the product has to be supported so VMware's statement rules BitLocker out - whether or not it works.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39843355
May I ask what vmware product you are using? And when or how should the encryption key provided?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844092
Have you tried it? Supported means a lot of things...typically it means no help for you if you use it and there is a problem. It does not mean it will not work..
Nonetheless, BL for a vm makes very little sense, as BL only protects the drive if it's physically stolen. To steal a VM you only need a snap shot, and once the OS is booted, you can take the snap shot of the live system and where ever you copy it, it will be a live system again when you open that snapshot. BL won't work (protect)in that case. It will if they power it down and try to reboot and it asks for a password they don't have.

I'm not understanding the use case for BL on vm, and I bet M$ and VmWare may be thinking the same thing. BL does work in VMware windows guests, I've not tried the full HDD encryption, but the BL-2-go stuff works just fine.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 30

Accepted Solution

by:
Duncan Meyers earned 0 total points
ID: 39844714
Whether or not it works is immaterial - this is in a corporate environment where the vendor's support statement explicitly rules the product out. There is no such statement for TrueCrypt If TrueCrypt supported 2012 I wouldn't have needed to ask this question.

The specific application here is all about shared storage disk encryption and how to protect data that may be on a failed disk. In this case, I can't encrypt at the storage level, I can't encrypt at the SAN and I can't encrypt at the hypervisor which only leaves me the VM.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844729
When the guest is running it's not encrypted, the OS looks like a "normal" OS, no extra boundary exists when using BL/TC/PGP until it's powered off.
You could use TC/BL/PGP to encrypt the container/folder the VMDk's are kept in. But using BL on the "inside" of the VM is probably incorrect, because when the OS is running it is essentially unencrypted until it loses power. Using it on the "outside" of the VM, to encrypt the disk image of the guest would be the same thing really, when that folder/partition/container is mounted the VMDK's are "plain-text" until that container is unmounted and the decryption key is no longer in memory. But the "outside" method would be more supported, as they are just files running inside folders. When those folders are umounted/closed the VMDK's can't be accessed.
I'm probably still misunderstanding.
-rich
0
 
LVL 30

Author Closing Comment

by:Duncan Meyers
ID: 39866925
Looks like it's TrueCrypt or nowt, For 2012, it's nowt.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If we need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB. Just connect to vCenter DB(default DB should be VCDB and using…
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question