Solved

What to use to encrypt a drive on a Virtual Machine

Posted on 2014-04-28
12
1,290 Views
Last Modified: 2014-04-28
I have a D: drive on a web application server that has the database and file storage on the D: drive. Customer requires files and sql data at rest be encrypted.

I have tried Truecrypt and it is unacceptable due to not being able to establish quota checks on the encrypted drive. Bit locker is not recommended for VMs due to not being able to put the encryption key on a usb drive.

Any ideas on how to encrypt this drive and still be able to replicate to DR site and have quotas established to watch for the disk filling up? 2008 server running MS SQL 2008.
0
Comment
Question by:jimmylew52
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 117

Expert Comment

by:Andrew Hancock (VMware vExpert / EE MVE)
Comment Utility
Bitlocker or Truecrypt.
0
 
LVL 1

Author Comment

by:jimmylew52
Comment Utility
I have tried Truecrypt and it is unacceptable due to not being able to establish quota checks on the encrypted drive.

 Bit locker is not recommended for VMs due to not being able to put the encryption key on a usb drive.
0
 
LVL 117

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE)
Andrew Hancock (VMware vExpert / EE MVE) earned 72 total points
Comment Utility
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 214 total points
Comment Utility
Why encrypt the drive? That is not how most handle needing a DB to be encrypted. Full-disk or full-partition encryption only protect you from PHYSICAL theft, have a look at my article here: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
You probably want to encrypt the DB, there are a lot of 3rd parties you can use to do this:
http://technet.microsoft.com/en-us/library/bb510663.aspx
I recommend using an HSM to better secure the keys
http://www.safenet-inc.com/data-protection/database-encryption/sql-encryption/
http://en.wikipedia.org/wiki/Transparent_Data_Encryption

Why do the files need to be encrypted? Again using Bitlocker or TC for this only protects when the data is physically taken. When the encrypted container is mounted/open then the files look like other files, there is no additional protection once you open the container. You can use NTFS etc, but the encryption part isn't doing much for you. M$ Office documents can have passwords that protect them, and in office 2007 or greater the encryption is quite good, prior to that however it is not. Most of this is covered in my articles.
-rich
0
 
LVL 53

Accepted Solution

by:
McKnife earned 214 total points
Comment Utility
First: Bitlocker can very well use virtual floppies (.flp files) to provide an encryption key on startup of the machine (whole virtual machine is encrypted). To make this a useful idea, put the .flp file onto a share of another secured server. We use this method.
To reply to richrumble's objection of using partition/full hdd encryption on VMs: if the VM host is stolen, it will be stolen when powered down. So if the thief has no way of suspending these machines before powering down the host, they will just crash (be forcefully powered off) and need the key the next time the thief tries to boot them.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 214 total points
Comment Utility
You can take the snap-shot of the booted OS, but that's not my objection, when the partition/hdd is powered on, there is effectively no encryption at play. Same with a bank vault, the Bank opens the vault at 9:00am, and the bank employees can walk in and out of it at will while it's open, it's just another room. When it's closed, only someone with the key can get in. Stealing a VM image that uses FDE would be the same as stealing a physical server that uses FDE, but with a VM your chances of getting "physical" access to it are probably greater. You don't typically find FDE in a server/colocation unless you really do not trust the staff or physical location. FDE is typically found on LT's and portable devices.
-rich
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 214 total points
Comment Utility
Rich, you don't need to repeat it.  Just think about why I might think this is secure.
Question1: how would you make a snaphot? You cannot logon to the host or did you think the host is accessible to the thief?
Q2: "Stealing a VM image that uses FDE would be the same as stealing a physical server that uses FDE, but with a VM your chances of getting "physical" access to it are probably greater" - yes? How would you do it? I am sure they are not greater.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 214 total points
Comment Utility
>Question1: how would you make a snaphot? You cannot logon to the host or did you think the host is accessible to the thief?
Yep, 99% of the places I go, if you get admin for one computer, you get it for all. We discussing protecting files and DB's, I'm assuming the worst has happened, someone who is not authorized, is accessing the data/machine. I'm assuming that machine is pwned. File level/DB level encryption would be a better defense than FDE. Physical theft isn't really on my radar, but that's what FDE helps against, that's all.
>Q2: "Stealing a VM image that uses FDE would be the same as stealing a physical server that uses FDE, but with a VM your chances of getting "physical" access to it are probably greater" - yes? How would you do it? I am sure they are not greater.
It's "easier" to steal a VM and go unnoticed when it's 0's and 1's, as opposed to lugging around a 100lbs server. Again the worst has happened, someone has access where they shouldn't, and file-level/cell/db level encryption, in my mind, are the places I'd focus on.
-rich
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 214 total points
Comment Utility
I am not convinced a tiny bit.
I will tell you more if the author is interested, no sooner.
0
 
LVL 1

Author Comment

by:jimmylew52
Comment Utility
Thank all of you for your input. a lot of good discussion here and I appreciate it.

I will be using Bitlocker to encrypt the drive and a floppy or usb as is easier for me to setup.

Richrumble - I agree with you on the lack of security but the encryption at rest is a requirement of the customer and not how we encrypt our data or SQL connections. whoever has made up the requirements has hit on a buzz word or two to look good and has made it mandatory.

Thanks again everyone for the imput.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
I don't find this very satisfying. I hope you understood that providing the key to the server is the crucial point. If you use a key but don't separate it from the server but keep a disk (or virtual disk from a local datastore!) inserted, then you have no real protection.

It was not even discussed if the restart of machines has to run unattended or not - which is absolutely important for the decision on what to use and configure.
You should continue here.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Check-boxes, all they are looking to do is check some boxes... I'm almost numb to it. Secure on paper is never the same thing as secure IRL.
-rich
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Teach the user how to install ESXi 5.5 and configure the management network System Requirements: ESXi Installation:  Management Network Configuration: Management Network Testing:
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now