In the article End-to-End Virtual Machine Backup I mentioned the new VMware Workstation 7.0 feature that creates an encrypted disk but in reality it is an encrypted virtual machine, which also implies encrypting the virtual disk. This one option to VMware Workstation is something that is needed within VMware vSphere as well as the other hypervisors. Encrypting virtual disk data can add to the overall security stance based on the encryption technology employed. So what do we need with virtual disk encryption?
- Good key handling not based on anything within the virtual machine but easily accessible via a directory service or some other PKI style infrastructure.
- Auditing of any attempts to read/write/decrypt the disk while it is running within the virtual environment
- Key material that is only partially entered by a human being, hence the need for good key handling, perhaps use the UUID of the VM or some other identifier as part of the key material. THis includes support for multi-factor authentication.
- Key material that is not tied to any given virtualization host to support agility to and from the cloud as well as other virtualization hosts.
- Allow Linked Clones, snapshots, or similar technologies to have their own encryption keys.
- Limit on what data within the VM any given user can decrypt and use based on roles and permission.
The last item (6) is most likely out of scope as it generally requires encryption within the VM not without the VM which is what virtual machine encryption is really about at this time. Item 5 ends up being a key management issue where the linked clone is encrypted with one key while the parent disk uses an entirely different key, which leads to item 1, good key handling, and the need for item 3. Above all Auditing is also required.
There are currently several technologies that can be used within any hypervisor to gain the ability to encyrpt a virtual disk but they all work from within the VM not from without.
- BitLocker which comes with several versions of Microsoft Windows
- TrueCrypt which is available for Microsoft Windows, Apple MacOSX, and Linux.
- PGP Whole Disk Encryption for Microsoft Windows and Apple MacOSX
Of these True Crypt is the closest to what VMware Workstation 7 has if you are using Microsoft Windows as it supports a pre-boot authentication mechanism prior to allowing the disk to be decrypted. BitLocker ties into a Trusted Platform Module but requires the boot volume to be unencrypted but uses TPM to ensure that when the system is booted it only boots if the boot volume has not been changed. TPM is not required for BitLocker but it is one the better sources of key material available.
TPM to hold the encryption key data is one method to use, but to support agility and dynamic motion of virtual machines, it should not be the method to use for virtual machines, hypervisors yet, VMs no. Not until TPM supports this form of agility. So other authentication factors will need to be supported.
VMware’s solution is one approach to this problem and handles everything outside of the VM, so that what OS is in use is not an issue. However, I believe it needs to be improved for use within the data center. Improvements to include multi-factor authentication, good key handling, and the other items previously mentioned will be a necessity.
If you need disk encryption within your virtual environment now, TrueCrypt appears to provide some of the better functionality, but remember, disk encryption will task your virtual environment by increasing CPU requirements for each VM as well as possible disk IO. Once you start using disk encryption, run some tests, and then plan your capacity appropriately.