Virtual Machine Encryption Basics



Similar documents
Integration with Active Directory

Running VirtualCenter in a Virtual Machine

Improving Scalability for Citrix Presentation Server

Managing Remote Access

Upgrading Horizon Workspace

Using esxtop to Troubleshoot Performance Problems

Configuring Multiple ACE Management Servers VMware ACE 2.0

Using VMware ESX Server With Hitachi Data Systems NSC or USP Storage ESX Server 3.0.2

VMware Virtual Desktop Manager User Authentication Guide

Configuration Maximums VMware Infrastructure 3

Performance Characteristics of VMFS and RDM VMware ESX Server 3.0.1

Ready Time Observations

ACE Management Server Deployment Guide VMware ACE 2.0

SAN Conceptual and Design Basics

What s New in VMware Data Recovery 2.0 TECHNICAL MARKETING DOCUMENTATION

Reconfiguration of VMware vcenter Update Manager

Remote Printing VMware ACE 2

Using Raw Device Mapping

W H I T E P A P E R. Optimized Backup and Recovery for VMware Infrastructure with EMC Avamar

VirtualCenter Database Maintenance VirtualCenter 2.0.x and Microsoft SQL Server

Using AnywhereUSB to Connect USB Devices

VMware Consolidated Backup

VMware Virtual Machine Importer User s Manual

Converting a Parallels Virtual Machine to Run in VMware Fusion VMware Fusion 1.0

Migrating a Windows PC to Run in VMware Fusion VMware Fusion 2.0

Using VMware ESX Server with IBM System Storage SAN Volume Controller ESX Server 3.0.2

Getting Started with VMware Fusion

Ethernet-based Storage Configuration

HIPAA/HITECH Compliance Using VMware vcloud Air

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

VirtualCenter Database Performance for Microsoft SQL Server 2005 VirtualCenter 2.5

Using VMware Player. VMware Player. What Is VMware Player?

Enabling NetFlow on Virtual Switches ESX Server 3.5

Guest Operating System. Installation Guide

Table of Contents Introduction and System Requirements 9 Installing VMware Server 35

W H I T E P A P E R. Understanding VMware Consolidated Backup

VMware vcenter Configuration Manager and VMware vcenter Application Discovery Manager Integration Guide

VMware vcenter Configuration Manager Backup and Disaster Recovery Guide vcenter Configuration Manager 5.4.1

Reconfiguring VMware vsphere Update Manager

Active Directory Solution 1.0 Guide

vcenter Configuration Manager Backup and Disaster Recovery Guide VCM 5.3

Solution Brief Availability and Recovery Options: Microsoft Exchange Solutions on VMware

VMware Data Recovery. Administrator's Guide EN

What s New in VMware vcenter 5.0

SmoothWall Virtual Appliance

ThinPrint GPO Configuration for Location-Based Printing

W H I T E P A P E R. VMware Software Lifecycle Automation Solutions

Getting Started with VMware Fusion. VMware Fusion for Mac OS X

VMware AlwaysOn Point of Care Desktop. with Indigo Identityware software for Fast Access & Strong Authentication with Roaming Desktops

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

Oracle Database Scalability in VMware ESX VMware ESX 3.5

VMware vcenter Configuration Manager SQL Migration Helper Tool User's Guide vcenter Configuration Manager 5.6

Installing and Configuring vcenter Multi-Hypervisor Manager

VMware vcenter Update Manager Administration Guide

IBM Client Security Solutions. Client Security User's Guide

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

W H I T E P A P E R. Reducing Server Total Cost of Ownership with VMware Virtualization Software

Obtaining SSL Certificates for VMware View Servers

VMware vcenter Support Assistant 5.1.1

WHITE PAPER. VMware Infrastructure 3 Pricing, Packaging and Licensing Overview

Reconfiguring VMware vsphere Update Manager

What s New in VMware vsphere 4.1 VMware vcenter. VMware vsphere 4.1

Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities

Web Services for Management Perl Library VMware ESX Server 3.5, VMware ESX Server 3i version 3.5, and VMware VirtualCenter 2.5

Innovative Secure Boot System (SBS) with a smartcard.

Using the vcenter Orchestrator Plug-In for Microsoft Active Directory

Acronis Storage Gateway

VMware Horizon Mobile Secure Workplace User Installed Applications Support with Liquidware Labs HOW-TO GUIDE

Mobile App User's Guide

VMware vrealize Operations for Horizon Security

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Getting Started with Database Provisioning

Top 10 Reasons to Virtualize VMware Zimbra Collaboration Server with VMware vsphere. white PAPER

VMware ESX Server Q VLAN Solutions W H I T E P A P E R

VMware Auto Deploy GUI. VMware Auto Deploy Gui 5.0 Practical guide

Parallels Desktop 4 for Windows and Linux Read Me

Getting Started with ESXi Embedded

Obtaining SSL Certificates for VMware Horizon View Servers

IBM Security QRadar Version (MR1) Checking the Integrity of Event and Flow Logs Technical Note

VMware vcenter Configuration Manager Backup and Disaster Recovery Guide vcenter Configuration Manager 5.7

Cloud Director User's Guide

What s New with VMware vcloud Director 5.1

Installation and Configuration Guide

VMware vrealize Operations for Horizon Security

VMware vcenter Update Manager Administration Guide

Parallels Remote Application Server

WHITE PAPER. VMware vsphere 4 Pricing, Packaging and Licensing Overview

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

VMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014

Parallels Plesk Panel

VMware vsphere 4.1. Pricing, Packaging and Licensing Overview. E f f e c t i v e A u g u s t 1, W H I T E P A P E R

Transcription:

VMWARE TECHNICAL NOTE VMware ACE Virtual Machine Encryption Basics VMware ACE gives administrators the option of enhancing the security of virtual machines they distribute to end users by encrypting key data and configuration files. This technical note provides an introduction to the encryption used in VMware ACE. It covers the following topics: Setting Policies to Control Encryption on page 1 Understanding When Encryption Is Applied on page 2 Updating Encryption Policies on page 5 Setting Policies to Control Encryption Some files in a VMware ACE package are encrypted in all cases, whatever the policy settings may be. Other files are encrypted only if administrators make certain policy settings. To set policies that control encryption for a virtual machine, open the policy editor and, in the list of policies for that virtual machine, select Encryption and authentication. Two settings directly affect encryption. Encrypt data and configuration files when this virtual machine is installed To protect the contents of the virtual machine, you can specify that the package installer encrypts the virtual machine when it is installed. To do so, select Encrypt data and configuration files when this virtual machine is installed. Each installation of the virtual machine for example, on different end users computers is encrypted differently. You must specify an authentication method under Authentication if you want the installer to encrypt the virtual machines. Protect virtual machine configuration files from user tampering If you encrypt the virtual machine, its configuration files are automatically protected against viewing and tampering. Even if you do not encrypt the virtual machine, you may select Protect virtual machine configuration files from user tampering. In addition, the settings under Authentication affect the way encryption keys are generated and stored, as described in this technical note. 1

Understanding When Encryption Is Applied VMware ACE uses the Advanced Encryption Standard (AES) with 128-bit keys. VMware ACE derives password-based keys from the user s password using an industry-standard algorithm. It generates all other keys using random data provided by the Windows CryptoAPI using industry-standard algorithms. Administrators who want to specify an existing key for use as a recovery key may import that key using the policy editor. Encrypted file data is decrypted in memory only and only as it is needed. The three tables below provide details on which files are encrypted and when encryption is applied. Encryption in a Package Before Installation and how they are encrypted in transit, before the package is installed on the end user s computer. Encrypted: Encrypted when the package is created if the encryption policies for the virtual machine include Protect virtual machine configuration files from user tampering. machine configuration files from user tampering. Virtual disk data is not encrypted. Decrypted: Not decrypted in transit. The key is a symmetric key stored in the Decrypted: Not decrypted in transit. The key, called the auxiliary data key, is stored in the Note: If you need greater security for the package before it is installed on the end user s computer, you may want to use a third-party utility to encrypt the installation package. 2

Encryption in an Installed Package Before It Is Run for the First Time and how they are encrypted after the package is installed but before the user runs the installed package for the first time. end end end Encrypted: Remains encrypted if it was encrypted when the package was created that is, if the encryption policies for the virtual machine include Protect virtual machine configuration files from user tampering. Decrypted: Not decrypted before the user runs the virtual machine. The key, called the obfuscation key, is hidden on the end machine configuration files from user tampering. Both the virtual disk descriptor and virtual disk data are encrypted only if the encryption policy is set to Encrypt data and configuration files when this virtual machine is installed. The encryption of virtual disk data takes place at the time the package containing the virtual machine is installed on the end Decrypted: Not decrypted until the user runs the virtual machine. The key is a symmetric key stored in the The same key is used to encrypt both the disk descriptor and the disk data. Decrypted: Not decrypted until the user runs the virtual machine. The key, called the auxiliary data key, is stored in the Decrypted: Not decrypted before the user runs the package for the first time. The key, called the obfuscation key, is hidden on the end Encryption in an Installed Package After It Is Run for the First Time and how they are encrypted after the user runs the installed package for the first time. 3

Saved state files (.vmss) Log files (.log) Screen shot file (.png) Snapshot files (.vmsn) Lock files (.lck) Encrypted: Re-encrypted with an authentication key if an authentication method was specified. Decrypted: Depending on the authentication policies set for the virtual machine, the keys may be generated in one of three ways. For password authentication, the user specifies a password, the key is generated on the basis of the password. For Active Directory authentication, the key is generated using random data and stored in a per-user-account area of the Active Directory server. For authentication determined using a script, the script determines how the key is acquired. machine configuration files from user tampering. Both the virtual disk descriptor and virtual disk data are encrypted only if the encryption policy is set to Encrypt data and configuration files when this virtual machine is installed. Decrypted: Using a symmetric key stored in the The same key is used to encrypt both the disk descriptor and the disk data. Encrypted: Not encrypted. Decrypted: Not decrypted. Decrypted: Using a key called the auxiliary data key, which is hidden on the end Encrypted: If they exist, encrypted only if the encryption policies for the virtual machine include Protect virtual machine configuration files from user tampering. Encrypted: Not encrypted. Decrypted: Not decrypted. Note: No data is stored in these files. 4

Updating Encryption Policies If you want to change any encryption-related policies, you may do so by distributing an update package to your end users. Depending on the file concerned, the change is applied either at the time the update package is installed or the next time the user runs the affected application or virtual machine. VMware, Inc. 3145 Porter Drive Palo Alto, CA 94304 www.vmware.com Copyright 1998-2005 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156 and 6,795,966; patents pending. VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Linux is a registered trademark of Linus Torvalds. All other marks and names mentioned herein may be trademarks of their respective companies. Revision 20051209 Item: ACE-ENG-Q404-165 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information