Windows / Virtual Machine Encryption Options

We have a number of Windows Server (2008 R2 upwards) which store sensitive, shared data and we are looking to encrypt it. The Windows servers are currently running as VMware virtual machines all of which reside on a SAN.

I initially thought the simplest solution would be to enable BitLocker to encrypt the entire disk, but apparently there is an issue using BitLocker with virtual machines (due to limitations of TPM/BIOS) - is this accurate?

If BitLocker can't be used, what are the alternatives? As the data on the server is shared by many people in the business, I didn't think EFS could be used as that's encrypted using a particular persons account?
HypervizorAsked:
Who is Participating?
 
Ajay ChananaConnect With a Mentor MCSE-2003/08|RHCSA| VCP5/6 |vExpert2018Commented:
Other than encrypting data with vSphere 6.5 you can encrypt VM as well. Please consider the below option as well.

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vsphere/vmw-wp-vsphere-virtual-machin-encryp.pdf
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
do you want to encrpyt at a per user level ?
0
 
McKnifeCommented:
Your approach needs to be questioned. What are you looking at, a SAN that is not safe, that is in a room accessed by unauthorized persons?

There are several ways to solve that with bitlocker, even without a TPM, that I have done before.
1
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
Chirag NagrekarSystem AnalystCommented:
This link shows you how to enable Bitlocker on VM without TPM.

http://www.networknet.nl/apps/wp/archives/395
1
 
HypervizorAuthor Commented:
@Andrew - we just want all data encrypted but not locked to  particular user. Essentially, we need to be encrypting whilst it's at rest.

@Chirac- thanks I'll check out the link.

@McKnife - just protection of business sensitive when it's at rest. We already have physical access controls, so just looking to encrypt data at rest.
0
 
McKnifeCommented:
"We already have physical access controls, so just looking to encrypt data at rest" - I do not understand, why you would worry about data at rest if physical access is not possible since it is controlled?

Anyway, Andrew has linked the same way I would suggest (networknet.nl). I'd like to point out, that the floppy file should not be placed on the host, but on a networked share of a  different secured computer - that's the trick. When the host machine is stolen, that network path won't be accessible and thus, the virtual machine remains inaccessible due to encryption.
0
 
HypervizorAuthor Commented:
Just because you have physical controls, it doesn't mean to say those controls cannot be breached.

Therefore, we want data encrypted in the instance where if they were breached, there is another layer of protection against access to sensitive information.
0
 
McKnifeConnect With a Mentor Commented:
Understood.
If the datastore offers no encryption, then the encryption will need to be guest based, as outlined in the link.
0
 
HypervizorAuthor Commented:
Great, thanks for the input.
0
 
Bryant SchaperCommented:
Maybe I missed it, but does the San offer encryption or maybe as an add-on license?
0
 
McKnifeCommented:
Could be, but ask yourself: who would enter the encryption key? Most SANs will not offer keyfiles (the virtual floppy image serves as a Keyfile) as in the method described. So even if your SAN did, you would always have to be present whenever it reboots to enter the encryption key, otherwise the virtual machines would not be able to even start.
0
 
Bryant SchaperCommented:
I am use the EMC, which can use an external key server
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.