1

Hi we're devs playing around with ESXI on some old R710s. For our dev enviromnment it will be fine. The R710 have a TPM. I tried encrypting the VM with Bitlocker but it couldn't see the TPM. I assume ESXI can't see it. I was thinking of perhaps Veracrypt. Our main requirements are:

  • Encrypted Windows machines (although we could also be using Linux).
  • My primary concern is ensuring if disks are disposed of, perhaps accidentally, nothing will be on them.
  • Typing in password at boot-up isn't an issue for us as it's a dev environment.

So my questions are:

  • Am I right in assuming ESXI can't see the TPM.
  • Is Veracrypt viable in VM - I'm new to using it in a virtual environment so I'm unsure of potential issues in the longer term. I'm going to try it tonight on a test VM.
  • It's ESXI v6.5 so there is some encryption support but we are currently using the free version and the tutorials looked fairly complicated and aimed at a more professional environment.

Any alternative suggestions are welcome. Cheers, Chris.

Improve this question
2
  • Why do you need to encrypt the VMs?
    – ewwhite
    Feb 28, 2017 at 19:00
  • You can use BitLocker in the guest virtual machines without a TPM by following this procedure - howtogeek.com/howto/6229/…
    – joeqwerty
    Feb 28, 2017 at 19:01

2 Answers 2

Reset to default
2

If you're on 6.5, why not just use the native vSphere VM Encryption?

https://blogs.vmware.com/vsphere/2016/10/whats-new-in-vsphere-6-5-security.html

Encryption of virtual machines is something that’s been on-going for years. But, in case you hadn’t noticed, it just hasn’t “taken off” because every solution has a negative operational impact. With vSphere 6.5 we are addressing that head on.

Encryption will be done in the hypervisor, “beneath” the virtual machine. As I/O comes out of the virtual disk controller in the VM it is immediately encrypted by a module in the kernel before being send to the kernel storage layer. Both VM Home files (VMX, snapshot, etc) and VMDK files are encrypted.

Improve this answer
5
  • What I've read seemed to involve setting up a VCentre server to manage the keys and so on. This seems quite complicated - remembers we're devs and a bit new to this! And seems to mean the server can't be encrypted which may be fine in a enterprise environment but might be a little beyond us. Perhaps it's simpler than it looks. I was looking at this guy who seems quite good: vladan.fr/vmware-vsphere-6-5-vm-encryption-details
    – user1102550
    Feb 28, 2017 at 18:44
  • Actually just looked at this youtube.com/watch?v=L_OvS0YXPiY but I'm not sure if we can do this will a single ESXI box. I'll try tomorrow and post if I have any luck.
    – user1102550
    Feb 28, 2017 at 18:49
  • I guess I didn't even know 6.5 had encryption.
    – ewwhite
    Feb 28, 2017 at 19:00
  • 1
    6.5 had encryption function. There are over the question how okay this encryption works. AFAIK this procedure harms IOPs hardly.
    – Net Runner
    Feb 28, 2017 at 19:28
  • Because it requires a key management appliance which would cost far more than OP's host. And the only FOSS solution (PyKIMP) doesn't support persistent key storage so you lose them all if you restart the process.
    – Muh Fugen
    Aug 13, 2017 at 10:44
1

Of the main options we went for VeraCrypt

  • Relying on keeping a key in a USB stick whether physical or some kind of virtual thing seemed to defeat the idea encyypting. What if the USB stick gets stolen etc.
  • ESXI native encryption needs a server to hold the keys - see this post https://www.youtube.com/watch?v=5-1ejlPGEcU, which seemed a little beyond us devs!
  • Veracrypt is simple and just requires someone to enter the password on boot. For our scenario, which is hosting UAT servers etc to support our local development, this was an acceptable compromise. Unattended reboot, in our case, wasn't as issue.
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .