All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How secure is complete disk encryption on a VMware virtual pc, on a dedicated server?
I have some severs that only I have physical access to. One of the servers is using Vmware Workstation, and I have several virtual servers running on it.
On one of the virtual servers I have encrypted the entire disk. So I have to write the password in the VMware console when I start it.
I'm taking backups of the virtual computer from time to time. I then copy the whole VMware folder out (so I can use it on my second server if the first one has issues).
But how secure is this? If somebody got access to the VMware folder, can they get data from it? The virtual server do only have one disk, and it's completely encrypted.
On my server, I have several virtual servers on it, all servers is using their own SSD disk. ( 1 SSD disk = 1 VM).
Should I encrypt the entire SSD disk for maximum security, or is it overkill?
The drawback encrypting the entire SSD disk is a drop of disk speed of around 50%.
How do you secure your virtual servers on Vmware Workstation?
Comments
Is secure as long as the host does not want to read your files or is forced to do it. Since the host is you (nobody else has access) then you must only worry about internet access. You dont even need to encrypt the disk.
It's my home servers, so no host can read my files
A saved VM state that includes a RAM image would also contain the disk encryption keys and would be stored on the host's disk not the VM's.
Yes, and from what i remember, vmware is really insisting in saving ram from time to time... However, as I said, if only "the host" has access to them, he only needs to worry about internet security, encryption is not even needed.
Can somebody extract the keys from the disk then?
My concern is that I'm taking backup of my VMware folders (servers), and if somebody get access to my backups, can they then get access to my files on the encrypted virtual server?
I have no snapshots of any of the servers. When I take backup of the VMs, I turn them off, then copy the entire VMware folder to my backup server(s).
Yes, the keys can be extracted from a RAM image. Also disk encryption keys are not changed often so even an old RAM image could still be used to acquire the current key.
That is right but he asked about the disk, not the ram image. Since he backs up only the disk image and is afraid only for the backups, he can rest assured that wont happen.
Best method of data security: Composite explosives wired to a decoy keyboard.
If you have to enter the encryption key over unencrypted VNC or similar on boot then the whole thing is pointless..
Have direct access to the servers. No VNC.
I misread it then.
Note he isn't backing up the disks but the directories containing the VM's files which means any new/old/orphaned VM system images could be included or might have been included in the past. Any time one slips into the backup it takes with it a recoverable copy of the key.
Not if you are using vsphere and only on the local lan. But your point is well taken, many people encrypt their FS on our KVM and probably consider nobody can ever see what is there. That is only one way to attack, through capturing the VNC terminal, even if the connection is encrypted, at the node level is decrypted and you have the plain keystrokes and mouse movements if you wish.
You are right, I havent been dealing with vmware for some years, but iirc they were storing the ram snapshot int he same directory... So @myhken, make sure you do not backup anything else than the vm disk file, vmdk.
If you're taking a hot snapshot then the VM's RAM (including the encryption keys) is being saved to a file. If you don't want to backup your VM's RAM, I suggest powering off the VM before performing the backup. I do not recommend taking a hot snapshot then trying to restore without the RAM snapshot, VMware doesn't like it and the VM's OS will likely give you some trouble.
If you want to automate your backups, I use this with my ESXi hosts: https://communities.vmware.com/docs/DOC-8760 (it gives you the option to take cold backups so your RAM isn't saved)
As mention, I always turn the VM off before I take backup. (or i just copy the whole Vmware folder etc. //VM1 //VM2 etc).
The reason I do so, is 1. I can restore the complete VM on another server without any issues (used this way for years now). 2. If there is some issue with the VM, I just copy back the backup, and all is working again.
if there is a file with something like vram there (from a crash or whatever) you're in trouble.
Put your data in /dev/null and it mostly safe..
It is funny that you thought of that, I was searching for a way back in the time when i was using vmware to keep that file from writing with ram on disk so I set it to /dev/null somehow, dont remember exactly how, there were some configs in vmware, sent it to a fake device, mostly because i had slow disks.
If someone else gets 'psychial' access, they can read the keys from your mind.
A tin foil hat may help.
Of course it does, it is the antenna that amplifies the signal of his thoughts and helps your receiving end too.
Took your advice, and got some tin foil hats, like this:
And one for my cat...can't relay on it not giving up my secret key