Replica Encryption using vTPM?

Discussions specific to the Microsoft Hyper-V hypervisor

Replica Encryption using vTPM?

Veeam Logoby SBarrett847 » Wed Mar 14, 2018 10:33 am

Just wondering if anybody has any experience with using Server 2016s vTPM to encrypt/decrypt off-site replica VMs and VHDs?

Any issues with spinning up the Encrypted VMs?
SBarrett847
Service Provider
 
Posts: 244
Liked: 39 times
Joined: Tue Feb 02, 2016 5:02 pm
Full Name: Stephen Barrett

Re: Replica Encryption using vTPM?

Veeam Logoby doktornotor » Thu Mar 15, 2018 6:01 pm 1 person likes this post

doktornotor
Novice
 
Posts: 9
Liked: 3 times
Joined: Wed Mar 07, 2018 12:57 pm

Re: Replica Encryption using vTPM?

Veeam Logoby SBarrett847 » Fri Mar 16, 2018 9:52 am

Much obliged - looks a bit complicated and not something I'd want to attempt in the middle of a DR failover I think.
SBarrett847
Service Provider
 
Posts: 244
Liked: 39 times
Joined: Tue Feb 02, 2016 5:02 pm
Full Name: Stephen Barrett

Re: Replica Encryption using vTPM?

Veeam Logoby Mike Resseler » Mon Mar 19, 2018 8:03 am

Doktornotor, thanks for providing that information!

Stephen,

It all depends what your concerns are I guess. When discussing this type of configurations with people, it all comes down in making the choice of security and speed. If you go for the additional security, then you (and the ones that give you an SLA ;-)) need to be aware that certain tasks will take more time and need to be prepared (and tested) on a regular basis. If you are going for it, then yes, you don't want to start with doing crazy stuff when the Disaster has already happened. You need to make sure that the config was already exported upfront and ready to be used when needed.

With more and more functionality coming to different platforms, I can only think (and believe) that these type of decisions will need to be made more and more. Which will mean that you need to understand the additional work, balance the pro's and con's and let the SLA decision makers know about it.
Mike Resseler
Veeam Software
 
Posts: 4523
Liked: 486 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: Replica Encryption using vTPM?

Veeam Logoby doktornotor » Sat Mar 24, 2018 12:14 pm

There's one thing here I'd like to point out, even though I'm not sure whether it's something intended as a use case by the OP. If you were/are thinking about using the vTPM to actually use BitLocker encryption on the guest level, well... you'd better think twice. It's been a miserable failure when we've been testing it here. Backups of those VMs were a complete failure most of the time, due to VSS/checkpoints creation bombing out over and over again. It's been going on with the bundled Windows Server Backup, with Veeam, and I'm pretty sure it'd be failing with pretty much anything else. The issue immediately went away when we stopped BitLocker usage inside the guests.

So, if you need encryption, you could either use BitLocker on the host level, or just keep the Veeam backups encrypted since, well... if you use the (standalone) shielded VMs feature on 2016, you cannot just take those VHD/VHDX files elsewhere and mount/launch them unless you've imported the shielded VM encryption/signing certs on that host.
doktornotor
Novice
 
Posts: 9
Liked: 3 times
Joined: Wed Mar 07, 2018 12:57 pm

Re: Replica Encryption using vTPM?

Veeam Logoby Mike Resseler » Mon Mar 26, 2018 5:40 am

Doktornotor, and the last disadvantage is that item-level recovery is not available with shielded VM!
Mike Resseler
Veeam Software
 
Posts: 4523
Liked: 486 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: Replica Encryption using vTPM?

Veeam Logoby SBarrett847 » Mon Mar 26, 2018 4:23 pm

Yes it's looking like Host level Bit-locker Encryption on the Cluster Volumes is the least worst way to go. Should I go this route, I’ll probably go with one Domain controller on Local Storage outside of the encrypted Storage.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383585(v=ws.11)

This will also have the benefit of not interfering with the replication for the DR Solution.
SBarrett847
Service Provider
 
Posts: 244
Liked: 39 times
Joined: Tue Feb 02, 2016 5:02 pm
Full Name: Stephen Barrett

Re: Replica Encryption using vTPM?

Veeam Logoby nmdange » Mon Mar 26, 2018 4:47 pm

I assume based on this discussion that you are not using the Host Guardian Service to hold the vTPM encryption keys?
nmdange
Expert
 
Posts: 320
Liked: 79 times
Joined: Thu Aug 20, 2015 9:30 pm

Re: Replica Encryption using vTPM?

Veeam Logoby SBarrett847 » Mon Mar 26, 2018 4:53 pm

No I'm probably going to avoid vTPM altogether, and simply Bit-locker the SAN / CSVs. Seems to be a much tidier solution.
SBarrett847
Service Provider
 
Posts: 244
Liked: 39 times
Joined: Tue Feb 02, 2016 5:02 pm
Full Name: Stephen Barrett

Re: Replica Encryption using vTPM?

Veeam Logoby Mike Resseler » Tue Mar 27, 2018 5:26 am

Well,

It all depends on what the end-goal is no? I personally don't think Shielded VMs is a bad thing. But as we said, it comes with downsides. No item-level recovery. When you recover a VM it needs to be on a trusted host and sometimes you might need to do some special procedures depending on the recovery use-case (and how bad it is). If the tenants agree with the downsides and the potential slower recovery in favor of the additional security/ trust, then I see it as a good thing. However, if they want more usability, faster restore and other advantages (exportability for example) then they need to live with the downsides...
Mike Resseler
Veeam Software
 
Posts: 4523
Liked: 486 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler


Return to Microsoft Hyper-V



Who is online

Users browsing this forum: No registered users and 14 guests