Do you need disk encryption for hosted VMs?

Nowadays disk encryption is a common practice with mobile personal devices, because it prevents unauthorized access to sensitive data when such a device is lost or stolen. I was also aware of the virtual machine encryption capabilities that are built into the VMware Personal Desktop products (Workstation and Fusion) although I never used them ..., but - until recently - I never thought about encrypting a VM that runs on a hosted hypervisor in a data center.

Then this happened:

A use case?

Our Microsoft Active Directory team faced the task to build a dedicated AD Recovery environment based on virtual servers (anyone still using physical server at all? ;-), and I was surprised to hear that they wanted to use Hyper-V for that. Why would they want to deviate from our company standard for server virtualization and not use VMware vSphere?

Well, they had some pretextual arguments based on the fact that they would prefer to stay with the one vendor that they know and did not really want someone else to manage the underlying virtualization infrastructure, but there was also one argument that made me thinking: They had the security requirement to encrypt the hard disks of every Domain Controller. For the production DCs that are still physical [sic] this is fine and they would use BitLocker (surprise!) there, but for virtual machines ...

This is unsupported

by Microsoft, at least for a VM's bootable drive, regardless of hypervisor choice, so even for their own Hyper-V! And if Microsoft does not support this then VMware won't either.

There is a good reason why this is unsupported: On physical machines BitLocker uses the TPM (Trusted Platform Module) - a secure cryptoprocessor that you find on any modern motherboard - to store the encryption keys. Virtual machines do not have TPM chips. Nevertheless you can use BitLocker inside VMs by reconfiguring it to store the keys on a floppy drive, an external USB drive or even another local hard disk. However, this is not only impractical with VMs, it also defeats the purpose of disk encryption, because you then store the unencrypted(!) encryption keys easily accessible on a device that is attached to the VM. That's like locking your house and hanging the key next to the front door.

The AD team knew about these restrictions and insisted on using Hyper-V anyway. Their idea was to still use BitLocker, but at the host level! With Hyper-V the virtualization host is a physical Windows machine, and that can use BitLocker to encrypt its hard disks - including the files that make up the virtual machines that it's running. For ESXi such a host level encryption is not available.

Host level vs. Guest level encryption

Although using the same tool (BitLocker) host level and guest level encryption are very different! And that brings us to some important questions that should always be asked when thinking about security measures: What type of attack scenarios do you want to mitigate, and how doable and likely are these?

To me it sounds very unlikely that physical disks are stolen from a secured enterprise data center, and if central SAN storage is used instead of local disks then the thieves will have a hard time identifying the right disks and putting them together in the right way. Anyway, both host and guest level encryption would secure the data in this case!

The more likely attack scenario is that either the host OS or the guest OS gets compromised over the network or through malware. If a host OS gets compromised in such a way and the attacker gains administrative access to the hypervisor then the host level encryption is useless, because legitimate file accesses from within the host OS are transparently encrypted and decrypted. Our AD team pointed out a scenario where a user with admin access to the hypervisor OS boots a VM with some offline disk imaging software and pulls an image off the guest to a remote location. When using host level encryption this VM image will be unencrypted!

Guest level encryption could mitigate this scenario, but - if the guest OS gets compromised - then it is also useless, because you can then (analogical to the host case) transparently decrypt a guest file by copying it from within the guest OS to a remote location.

The following table summarizes it:

protects from:
Encryption at:
Loss or theft
of physical disks
Host OS
compromise
Guest OS
compromise
Guest OS
x
x
-
Host OS (transparent for Guest)
x
-
-
Storage Array/Controller (transparent for Host and Guest)
x
-
-

As a third option the table also lists the option to encrypt disks at the Storage Array or Controller level. Yes, this is also possible (at least with the big vendors like EMC and NetApp), and it has the advantage that it is completely transparent for all machines attached to the central storage including hypervisors and the guests that they run. But on the other hand they also do not cover any network attacks and machine compromise scenarios.

So, guest level encryption looks like the most effective solution that we can have, but yet it is unsupported. Is there anything that can be done to make it supportable?

A call for a virtualized TPM

It's not only BitLocker that requires and uses a TPM to implement a supportable encryption, there are also many other commercial products that have this requirement (see Disk encryption in the Wikipedia TPM article). So how about providing a virtualized TPM (vTPM) to VMs?

I did a bit of research about that and found an interesting Usenix paper about this topic produced by some IBM people, and I also learnt that the Open Source Xen hypervisor actually already implements a vTPM. So, technically this should also be possible to implement in VMware vSphere, but it imposes some challenges: How do you manage and where do you securely store the keys of the vTPMs without affecting the advanced VM features like mobility (= live migration between different physical hosts)?

So far I'm not aware of any efforts to add a vTPM feature to VMware vSphere.

Do you care?

Do you have a use case for disk encryption on hosted VMs? I'd love to hear your comments and get some feedback, just to know if its supportability should be a concern or not. Please take the quick poll that you find in the right sidebar of this blog, and leave a comment here describing your use case. Thanks!

Update (2014-12-05):

The poll has ended, and here are the results:



This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. Follow him on Twitter to keep up to date with what he posts.



2 comments:

  1. Hi this not have any solutions today. I search how encrypt disk for last 4 years, but not find any easy and secure solutions.
    Ideally is appliances which can communicate over vSafe and insert key or manage encrypted disk for VM.

    ReplyDelete
  2. It's now being done on MS Azure using a KeyVault to secure the encryption key.

    ReplyDelete

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!