Hyper V Replication over WAN/VPN and then encrypted to not taken any data


is there any chance to protect a replicated hyper-v-machine so that nobody without a key/password/certificate... is able to start the replication-vm nor to open the virtual disc ?
We are thinking about to replicate our virtual server (host and vm are 2012 R2)  to another  location over WAN/VPN. But we are afraid that someone could take the data from the vortual disc stored at the destination or that some could start the vm at the destination. Is it possible to encrypt the whole vm so that only the owner of the key could make something with the replication-vm ?

Thanks for you ideas or hints

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
But we are afraid that someone could take the data from the virtual disc stored at the destination or that some could start the vm at the destination. If those are your concerns then don't put the data there.
Cliff GaliherCommented:
Not really. If you don't trust the location and access of the replicated server, you probably shouldn't be replicating to it. This really boils down to the 10 immutable laws of security, and laws 3 and 10 apply here.
David Johnson, CD, MVPOwnerCommented:
10 Immutable Laws of Security For those that don't know them
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

loosainAuthor Commented:
It´s not that i don´t trust the location. It´s about having an idea to rise the security. Having a high wall is good. having a higher wall is better...
Cliff GaliherCommented:
Thus my reference to law 10. That logic is rarely sound.
There's always a way.
Imagine you have a machine which is powered off, the virtual disk fully encrypted. Imagine it will need a key to start. The key will be simply a file that is reachable from location one, but not from location two. Bingo - location 2 will not be able to start the machine. But here we take for granted that
1 we may shutdown the machine before we replicate it and
2 the replication does not need to be continuous (but, instead, only regularly once a day, at night, for ex.)

In case we need to start the replica at loc. 2, of course that key file needs to be made accessible immediately.

Sounds like a plan?
Cliff GaliherCommented:
But therein is the inherent contradiction. If there is someone who can start the server to perform this theoretical "once a day" replication, that fundamentally means they still have access to the underlying virtual disk and could start the VM and thus no longer meets the requested goal. The two are diametrically opposed.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
BitLocker can be set up to encrypt the VM's partitions without a TPM present. That is one option to get whole disk encryption.

Caveat: Obviously, a known good and fully restored backup would need to be in place before encrypting that server's partitions. Otherwise done deal if something happens.
Cliff, if I got him right, the danger is at the target location, not at the source as well. So it's no problem what happens/is possible at the source.
Cliff GaliherCommented:
Doesn't change the fact that the destination server has to be up and running for replication to occur. And so by necessity and design the VM could be started and the replicated VHD can be read, even with bitlocker. The goals and situation are inherently in conflict. No technology solution can resolve that.
? No, we are talking about the guest machine. And that guest is off while it's being replicated in my plan. To start it, there's no key file present at location 2.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
loosainAuthor Commented:
I close this discussion.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.