VDI Security - Using Encryption to Protect Virtual Machine Resources

Windows BitLocker Drive Encryption (BitLocker) is a data protection feature included with Windows Server 2008. BitLocker is an operating system–based software capability that works with features in server hardware and firmware to provide secure operating system boot and disk drive encryption. This encryption physically safeguards operating system integrity and data. BitLocker–based physical protection is present even when the server is not powered or operating, which means that data is protected even if a disk is stolen and mounted on another machine for data mining purposes. BitLocker also protects data if an attacker uses a different operating system or runs a software hacking tool to access a disk.

Important Use BitLocker Drive Encryption in the Hyper-V management operating system only. Do not run BitLocker Drive Encryption within a virtual machine. BitLocker Drive Encryption is not supported within virtual machines.

BitLocker helps prevent unauthorized access to data on lost or stolen computers by combining two major data-protection procedures:

· Encrypting the entire Windows operating system volume and other data volumes.

· Verifying the integrity of early boot components and boot configuration data.

In addition to protecting business-critical information and databases as well as other incidental data that is created during business transactions, BitLocker can protect virtual machine configurations and their VHDs. Any configurations and VHDs that are created and stored on a BitLocker–encrypted physical disk volume receive BitLocker protection, regardless of the operating systems that run on those virtual machines. This capability means that non-Windows and legacy Microsoft operating systems benefit from the same BitLocker protection when they run as guest operating systems of Windows Server 2008 Hyper-V.

Before you attempt to configure BitLocker and Hyper-V on the same server, however, there are a few issues you should consider. BitLocker is designed to work with a Trusted Platform Module (TPM), a hardware device that can store and process cryptographic keys to provide enhanced security through pre-startup system integrity verification. Hyper-V does not provide virtual machines with access to the TPM, so you cannot use BitLocker with TPM to encrypt virtual machines independently. However, you can use BitLocker with TPM from a physical Hyper-V computer’s management operating system to encrypt an entire physical drive connected to the Hyper-V computer, including the VHD files and other configuration files used by virtual machines. This method provides all of the virtual machines on the encrypted disk with the same level of protection. However, it will not help isolate the virtual machines and their resource files from the other virtual machines running on the same physical computer.

Note Although using Hyper-V in a clustered environment is outside the scope of this guide, it is worthwhile to point out that BitLocker does not work with Windows Failover Clustering. For information on using Hyper-V and Failover Clustering see Hyper-V Step-by-Step Guide: Hyper-V and Failover Clustering on Microsoft TechNet.

For instructions about how to use BitLocker to encrypt Windows Server 2008 Hyper-V physical computers, see Windows Server 2008 Hyper-V and BitLocker Drive Encryption on the Microsoft Download Center.

Important Do not use Encrypting File System (EFS) to encrypt folders in which virtual machine files are stored. Hyper-V does not support the use of storage media if EFS has been used to encrypt the VHD file. To encrypt virtual machine files, use BitLocker.