Solved

Supported disk encryption for VMware virtual machines

Posted on 2014-02-06
16
7,768 Views
Last Modified: 2014-02-18
Hi all

I need to encrypt Windows VMs in a VMware environment at a host level. BitLocker is out as it's not supported by VMware. PGP appears to be problematic. TrueCrypt supports Windows Server 2003 and 2008 but not 2012, so that's problematic, but looks to be the best option so far. I can't encrypt at the hypervisor or storage layer.

Any suggestions as to what host-based encryption tool i can use that's fully supported in a VMware environment?
0
Comment
Question by:Duncan Meyers
  • 7
  • 4
  • 3
  • +1
16 Comments
 
LVL 118
ID: 39841179
So you are looking for a product which encrypts the vitual machine disks (VMDK) at Host, Hypervisor level?
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841220
My bad. VM level or guest level.
0
 
LVL 118
ID: 39841296
I would opt for Truecrypt, when they release support for Windows 2012.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841301
Cool - but I need support for 2012 now unfortunately.
0
 
LVL 118
ID: 39841327
We've had the same issues with many vendor led projects, that still do not have support for Windows 2012, and Windows 2012 R2, and the projects are on hold.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841365
Remind me again how long 2012's been out?  :-)
0
 
LVL 118
ID: 39841408
Yes, I know it's disappointing....we've had several projects switch to VMware, because SAN support was not ready or buggy.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39841483
BL not supported by vmware? Which version of vmware and workstation/esxi...?
We use BL (2008/2012 servers) on ESXI 5/5.5 - no problems at all.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39841513
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39841557
Please read carefully: VMWare says "As stated in the BitLocker Frequently Asked Questions (FAQ), Microsoft does not support the use of BitLocker within a virtual machine." while Microsoft says "BitLocker is not supported on bootable VHDs"

That is something completely different. Both vmware and you should think about what "booting from vhd" means. This is something totally different.

So MS does of course not say BL is not supported on VMs.
0
 
LVL 30

Author Comment

by:Duncan Meyers
ID: 39843163
I read it carefully. It says VMware does not support the use of BitLocker in virtual machines. I also read the Microsoft documents carefully and it doesn't specifically mention VMware at all and it probably is fine on the data drives. But I have a situation where the product has to be supported so VMware's statement rules BitLocker out - whether or not it works.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39843355
May I ask what vmware product you are using? And when or how should the encryption key provided?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844092
Have you tried it? Supported means a lot of things...typically it means no help for you if you use it and there is a problem. It does not mean it will not work..
Nonetheless, BL for a vm makes very little sense, as BL only protects the drive if it's physically stolen. To steal a VM you only need a snap shot, and once the OS is booted, you can take the snap shot of the live system and where ever you copy it, it will be a live system again when you open that snapshot. BL won't work (protect)in that case. It will if they power it down and try to reboot and it asks for a password they don't have.

I'm not understanding the use case for BL on vm, and I bet M$ and VmWare may be thinking the same thing. BL does work in VMware windows guests, I've not tried the full HDD encryption, but the BL-2-go stuff works just fine.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 30

Accepted Solution

by:
Duncan Meyers earned 0 total points
ID: 39844714
Whether or not it works is immaterial - this is in a corporate environment where the vendor's support statement explicitly rules the product out. There is no such statement for TrueCrypt If TrueCrypt supported 2012 I wouldn't have needed to ask this question.

The specific application here is all about shared storage disk encryption and how to protect data that may be on a failed disk. In this case, I can't encrypt at the storage level, I can't encrypt at the SAN and I can't encrypt at the hypervisor which only leaves me the VM.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39844729
When the guest is running it's not encrypted, the OS looks like a "normal" OS, no extra boundary exists when using BL/TC/PGP until it's powered off.
You could use TC/BL/PGP to encrypt the container/folder the VMDk's are kept in. But using BL on the "inside" of the VM is probably incorrect, because when the OS is running it is essentially unencrypted until it loses power. Using it on the "outside" of the VM, to encrypt the disk image of the guest would be the same thing really, when that folder/partition/container is mounted the VMDK's are "plain-text" until that container is unmounted and the decryption key is no longer in memory. But the "outside" method would be more supported, as they are just files running inside folders. When those folders are umounted/closed the VMDK's can't be accessed.
I'm probably still misunderstanding.
-rich
0
 
LVL 30

Author Closing Comment

by:Duncan Meyers
ID: 39866925
Looks like it's TrueCrypt or nowt, For 2012, it's nowt.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now