Trust is the biggest blocker to cloud computing adaption. In Windows Server 2016, Microsoft did a lot of work around Hyper-V core platform to start providing these guarantees. Even if you trust or you don’t trust your fabric administrator, no one can access your data!
In Windows Server 2016 Hyper-V and in Windows 10, you can inject a virtual TPM (Trusted Platform Module) into a VM. Virtual TPM is a virtualized version of a Trusted Platform Module (TPM). In Windows Server 2016, with the Hyper-V role, you can provide a virtual TPM 2.0 device so that virtual machines can be encrypted using BitLocker, just as a physical TPM allows a physical machine to be encrypted. So you can now have a virtual machine running on someone’s else Hyper-V server or on someone’s else infrastructure and you can know that you are the only one who has access to that data.
Virtual TPM Overview and Requirements
The secret behind vTPM is what Microsoft calls Isolated User Mode (IUM). Take a look at Figure 1.
Figure 1. vTPM and Credential Guard both rely upon Isolated User Mode (Image Source – Microsoft)
Notice in Figure 1 that the Local Security Authority Subsystem Service (LSASS) process stores credentials in unprotected memory space. This, of course, opens the system to memory attacks and credential theft.
As long as you have Hyper-V running on your Windows Server 2016 servers and Windows 10, the operating system can store secrets in strongly-isolated memory space. Isolated User Mode (IUM) is the runtime environment that hosts security applications inside Virtualization-based Security (VBS) on the Hyper-V host. VBS is used to secure and protect the state of the virtual TPM chip.
What’s so cool about virtual Trusted Platform Module (vTPM) is that we can use TPM technology on our Hyper-V VMs even if the hardware host doesn’t have a physical TPM. Of course, the best-case scenario is that your Hyper-V hosts all have on-board physical TPMs.
Virtual TPM requires Generation 2 Hyper-V virtual machine running Windows Server 2012 R2, Windows Server 2016, or Linux that uses a variety of current-generation technologies, including virtualization based security (VBS) and BitLocker Drive Encryption, to protect its contents from fabric administrators.
Windows Server 2012 R2 supports Generation 2 VMs, so you can deploy Windows Server 2012 R2–based shielded virtual machines on Windows Server 2016 Hyper-V hosts.
Windows Server 2016 supports Linux-based Hyper-V shielded VMs as well. Linux supports TPM, UEFI, and Secure Boot, but not BitLocker Drive Encryption. As of this writing, Microsoft plans to employ the dm-crypt disk encryption subsystem to provide whole-disk encryption for Linux-based shielded VMs as well.
Enable Virtual TPM
If you are not using Guarded fabric and shielded VMs in your environment, then enabling Virtual TPM can be accomplished by using Enable-VMTPM and Disable-VMTPM PowerShell cmdlets without using HGS Key Protector, as shown in Figure 2.
Recall that a key protector defines on which guarded fabrics a shielded VM is allowed to run.
You can change the security settings when the VM is in Off state.
Figure 2. Enable vTPM using Windows PowerShell
Or you can now toggle vTPM support in the Settings page of the VM in Hyper-V Manager, as shown in Figure 3.
Figure 3. The Hyper-V VM can benefit from TPM services even if the hardware host does not have a physical TPM installed
Turn on the VM and notice that TPM V2.0 is now present in device manager, as shown in Figure 4.
Figure 4. Trust Platform Module in a Hyper-V VM
The final thing is to install BitLocker feature inside the guest and start encrypting your data.
Fire up an administrative Windows PowerShell prompt and run the following command:
Install-WindowsFeature -Name BitLocker -IncludeAllSubFeature –IncludeManagementTools -Restart
BitLocker Drive Encryption ensures that your VM’s VHDX files are secure when at rest. The data file that contains VM-specific secrets is encrypted as well.
But what about when virtual machines (including their memory state, configuration, as well as virtual hard disks) are in transit, for example during a live migration?
The good news is that the VM’s vTPM is as portable as the rest of the VM. This means that your VMs remain protected even when their data is transmitted over the network.
To encrypt virtual machine state and VM migration traffic, you need to enable the security setting “Encrypt state and virtual machine migration traffic” , as shown in Figure 3 above.
You can also accomplish the same thing using PowerShell. Fire up an administrative Windows PowerShell prompt and run the following command:
Set-VMSecurity –VM <VMName> -EncryptStateAndVmMigrationTraffic $true
What about Generation 1 VM?
What about generation 1 virtual machines they are still out-there? Some people cannot use Gen2 VMs everywhere, and you want to encrypt your data within the VM. There are valid reasons why Gen2 VM is not possible to be used, example with older operating system that do not support UEFI (WS 2008 or WS 2008 R2).
Microsoft introduced Key Storage Drive (KSD) feature to address this limitation, please check how to enable Key Storage Drive in Windows Server 2016 Hyper-V.