Solved

Supported disk encryption for VMware virtual machines

Posted on 2014-02-06
16
8,129 Views
Last Modified: 2014-02-18
Hi all

I need to encrypt Windows VMs in a VMware environment at a host level. BitLocker is out as it's not supported by VMware. PGP appears to be problematic. TrueCrypt supports Windows Server 2003 and 2008 but not 2012, so that's problematic, but looks to be the best option so far. I can't encrypt at the hypervisor or storage layer.

Any suggestions as to what host-based encryption tool i can use that's fully supported in a VMware environment?
0
Comment
Question by:Duncan Meyers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
16 Comments
 
LVL 121
ID: 39841179
So you are looking for a product which encrypts the vitual machine disks (VMDK) at Host, Hypervisor level?
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841220
My bad. VM level or guest level.
0
 
LVL 121
ID: 39841296
I would opt for Truecrypt, when they release support for Windows 2012.
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841301
Cool - but I need support for 2012 now unfortunately.
0
 
LVL 121
ID: 39841327
We've had the same issues with many vendor led projects, that still do not have support for Windows 2012, and Windows 2012 R2, and the projects are on hold.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841365
Remind me again how long 2012's been out?  :-)
0
 
LVL 121
ID: 39841408
Yes, I know it's disappointing....we've had several projects switch to VMware, because SAN support was not ready or buggy.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39841483
BL not supported by vmware? Which version of vmware and workstation/esxi...?
We use BL (2008/2012 servers) on ESXI 5/5.5 - no problems at all.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841513
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39841557
Please read carefully: VMWare says "As stated in the BitLocker Frequently Asked Questions (FAQ), Microsoft does not support the use of BitLocker within a virtual machine." while Microsoft says "BitLocker is not supported on bootable VHDs"

That is something completely different. Both vmware and you should think about what "booting from vhd" means. This is something totally different.

So MS does of course not say BL is not supported on VMs.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39843163
I read it carefully. It says VMware does not support the use of BitLocker in virtual machines. I also read the Microsoft documents carefully and it doesn't specifically mention VMware at all and it probably is fine on the data drives. But I have a situation where the product has to be supported so VMware's statement rules BitLocker out - whether or not it works.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39843355
May I ask what vmware product you are using? And when or how should the encryption key provided?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844092
Have you tried it? Supported means a lot of things...typically it means no help for you if you use it and there is a problem. It does not mean it will not work..
Nonetheless, BL for a vm makes very little sense, as BL only protects the drive if it's physically stolen. To steal a VM you only need a snap shot, and once the OS is booted, you can take the snap shot of the live system and where ever you copy it, it will be a live system again when you open that snapshot. BL won't work (protect)in that case. It will if they power it down and try to reboot and it asks for a password they don't have.

I'm not understanding the use case for BL on vm, and I bet M$ and VmWare may be thinking the same thing. BL does work in VMware windows guests, I've not tried the full HDD encryption, but the BL-2-go stuff works just fine.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 30

Accepted Solution

by:
Duncan Meyers earned 0 total points
ID: 39844714
Whether or not it works is immaterial - this is in a corporate environment where the vendor's support statement explicitly rules the product out. There is no such statement for TrueCrypt If TrueCrypt supported 2012 I wouldn't have needed to ask this question.

The specific application here is all about shared storage disk encryption and how to protect data that may be on a failed disk. In this case, I can't encrypt at the storage level, I can't encrypt at the SAN and I can't encrypt at the hypervisor which only leaves me the VM.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844729
When the guest is running it's not encrypted, the OS looks like a "normal" OS, no extra boundary exists when using BL/TC/PGP until it's powered off.
You could use TC/BL/PGP to encrypt the container/folder the VMDk's are kept in. But using BL on the "inside" of the VM is probably incorrect, because when the OS is running it is essentially unencrypted until it loses power. Using it on the "outside" of the VM, to encrypt the disk image of the guest would be the same thing really, when that folder/partition/container is mounted the VMDK's are "plain-text" until that container is unmounted and the decryption key is no longer in memory. But the "outside" method would be more supported, as they are just files running inside folders. When those folders are umounted/closed the VMDK's can't be accessed.
I'm probably still misunderstanding.
-rich
0
 
LVL 30

Author Closing Comment

by:Duncan Meyers
ID: 39866925
Looks like it's TrueCrypt or nowt, For 2012, it's nowt.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If we need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB. Just connect to vCenter DB(default DB should be VCDB and using…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question