How Can I Encrypt Generation 1 Hyper-V VMs?
In this post, I’ll explain a new feature in Windows Server 2016 Hyper-V, called Key Storage Drive.
WS2016 Hyper-V is, in my opinion, the most secure hypervisor ever. Microsoft included many features to ensure trust in the host, to protect the host from guests, and to protect guests from rogue administrators. Some of these features included are as follows:
- Shielded virtual machines: A system where the host management OS and hypervisor are validated by an independent hardware-based infrastructure. This solution also provides layers of insulation between the run-time guest OS and the host, therefore protecting against console access, data transfer, and so on.
- Virtual TPM (vTPM): Generation 2 virtual machines have support for a vTPM chip. This allows guest OS administrators to enable BitLocker and protect themselves against rogue administrators (copy and mount the VHD/X files).
However, all of the above requires that you have deployed Generation 2 virtual machines. This is fine for new systems on modern OSs, but what about all of those legacy systems that are out there or those installations that require guest OSs that do not support UEFI?
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Key Storage Drive
Generation 1 virtual machines do not support vTPM, but Microsoft engineered a solution for these virtual machines. A special file, known as a Key Storage Drive, is attached to the IDE controller of the virtual machine. This file will be used instead of a vTPM to store the BitLocker secrets. The drive is created, prepared in the guest OS, and then the guest OS administrator can enable/deploy BitLocker.
It is important to note that Key Storage Drive cannot offer you the same levels of protection as vTPM and cannot provide the isolation and host assurance that is made possible by shielded virtual machines. But what you do get, as a guest OS administrator, is the ability to encrypt your virtual machines’ disks so that no one can mount them and peek at your data.
Using Key Storage Drive
The feature is simple to use:
- Edit the settings of your Generation 1 virtual machine.
- Browse to Security and click Add Key Storage Drive.
- You can view the new Key Storage Drive by browsing to IDE Controller 0, where the new security device is added to target 1 – target 0 is the OS disk.
- Now you should log into the virtual machine to configure BitLocker, which I will cover in another post.