Windows / Virtual Machine Encryption Options

We have a number of Windows Server (2008 R2 upwards) which store sensitive, shared data and we are looking to encrypt it. The Windows servers are currently running as VMware virtual machines all of which reside on a SAN.

I initially thought the simplest solution would be to enable BitLocker to encrypt the entire disk, but apparently there is an issue using BitLocker with virtual machines (due to limitations of TPM/BIOS) - is this accurate?

If BitLocker can't be used, what are the alternatives? As the data on the server is shared by many people in the business, I didn't think EFS could be used as that's encrypted using a particular persons account?
HypervizorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
do you want to encrpyt at a per user level ?
0
McKnifeCommented:
Your approach needs to be questioned. What are you looking at, a SAN that is not safe, that is in a room accessed by unauthorized persons?

There are several ways to solve that with bitlocker, even without a TPM, that I have done before.
1
Chirag NagrekarSystem AnalystCommented:
This link shows you how to enable Bitlocker on VM without TPM.

http://www.networknet.nl/apps/wp/archives/395
1
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

HypervizorAuthor Commented:
@Andrew - we just want all data encrypted but not locked to  particular user. Essentially, we need to be encrypting whilst it's at rest.

@Chirac- thanks I'll check out the link.

@McKnife - just protection of business sensitive when it's at rest. We already have physical access controls, so just looking to encrypt data at rest.
0
Ajay ChananaMCSE-2003/08|RHCSA| VCP5/6 |vExpert2018Commented:
Other than encrypting data with vSphere 6.5 you can encrypt VM as well. Please consider the below option as well.

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vsphere/vmw-wp-vsphere-virtual-machin-encryp.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
"We already have physical access controls, so just looking to encrypt data at rest" - I do not understand, why you would worry about data at rest if physical access is not possible since it is controlled?

Anyway, Andrew has linked the same way I would suggest (networknet.nl). I'd like to point out, that the floppy file should not be placed on the host, but on a networked share of a  different secured computer - that's the trick. When the host machine is stolen, that network path won't be accessible and thus, the virtual machine remains inaccessible due to encryption.
0
HypervizorAuthor Commented:
Just because you have physical controls, it doesn't mean to say those controls cannot be breached.

Therefore, we want data encrypted in the instance where if they were breached, there is another layer of protection against access to sensitive information.
0
McKnifeCommented:
Understood.
If the datastore offers no encryption, then the encryption will need to be guest based, as outlined in the link.
0
HypervizorAuthor Commented:
Great, thanks for the input.
0
Bryant SchaperCommented:
Maybe I missed it, but does the San offer encryption or maybe as an add-on license?
0
McKnifeCommented:
Could be, but ask yourself: who would enter the encryption key? Most SANs will not offer keyfiles (the virtual floppy image serves as a Keyfile) as in the method described. So even if your SAN did, you would always have to be present whenever it reboots to enter the encryption key, otherwise the virtual machines would not be able to even start.
0
Bryant SchaperCommented:
I am use the EMC, which can use an external key server
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.