In this post, I’ll explain a new feature in Windows Server 2016 Hyper-V, called Key Storage Drive.
WS2016 Hyper-V is, in my opinion, the most secure hypervisor ever. Microsoft included many features to ensure trust in the host, to protect the host from guests, and to protect guests from rogue administrators. Some of these features included are as follows:
However, all of the above requires that you have deployed Generation 2 virtual machines. This is fine for new systems on modern OSs, but what about all of those legacy systems that are out there or those installations that require guest OSs that do not support UEFI?
Generation 1 virtual machines do not support vTPM, but Microsoft engineered a solution for these virtual machines. A special file, known as a Key Storage Drive, is attached to the IDE controller of the virtual machine. This file will be used instead of a vTPM to store the BitLocker secrets. The drive is created, prepared in the guest OS, and then the guest OS administrator can enable/deploy BitLocker.
It is important to note that Key Storage Drive cannot offer you the same levels of protection as vTPM and cannot provide the isolation and host assurance that is made possible by shielded virtual machines. But what you do get, as a guest OS administrator, is the ability to encrypt your virtual machines’ disks so that no one can mount them and peek at your data.
The feature is simple to use: