Replica Encryption using vTPM?

[SBarrett847]

Just wondering if anybody has any experience with using Server 2016s vTPM to encrypt/decrypt off-site replica VMs and VHDs?

Any issues with spinning up the Encrypted VMs?

[doktornotor]

These could be helpful:
https://blogs.technet.microsoft.com/vir ... with-vtpm/
https://blogs.technet.microsoft.com/vir ... rtual-tpm/

[SBarrett847]

Much obliged - looks a bit complicated and not something I'd want to attempt in the middle of a DR failover I think.

[Mike Resseler]

Doktornotor, thanks for providing that information!

Stephen,

It all depends what your concerns are I guess. When discussing this type of configurations with people, it all comes down in making the choice of security and speed. If you go for the additional security, then you (and the ones that give you an SLA ) need to be aware that certain tasks will take more time and need to be prepared (and tested) on a regular basis. If you are going for it, then yes, you don't want to start with doing crazy stuff when the Disaster has already happened. You need to make sure that the config was already exported upfront and ready to be used when needed.

With more and more functionality coming to different platforms, I can only think (and believe) that these type of decisions will need to be made more and more. Which will mean that you need to understand the additional work, balance the pro's and con's and let the SLA decision makers know about it.

[doktornotor]

There's one thing here I'd like to point out, even though I'm not sure whether it's something intended as a use case by the OP. If you were/are thinking about using the vTPM to actually use BitLocker encryption on the guest level, well... you'd better think twice. It's been a miserable failure when we've been testing it here. Backups of those VMs were a complete failure most of the time, due to VSS/checkpoints creation bombing out over and over again. It's been going on with the bundled Windows Server Backup, with Veeam, and I'm pretty sure it'd be failing with pretty much anything else. The issue immediately went away when we stopped BitLocker usage inside the guests.

So, if you need encryption, you could either use BitLocker on the host level, or just keep the Veeam backups encrypted since, well... if you use the (standalone) shielded VMs feature on 2016, you cannot just take those VHD/VHDX files elsewhere and mount/launch them unless you've imported the shielded VM encryption/signing certs on that host.

[Mike Resseler]

Doktornotor, and the last disadvantage is that item-level recovery is not available with shielded VM!

[SBarrett847]

Yes it's looking like Host level Bit-locker Encryption on the Cluster Volumes is the least worst way to go. Should I go this route, I’ll probably go with one Domain controller on Local Storage outside of the encrypted Storage.

https://docs.microsoft.com/en-us/previo ... 5(v=ws.11)

This will also have the benefit of not interfering with the replication for the DR Solution.

[nmdange]

I assume based on this discussion that you are not using the Host Guardian Service to hold the vTPM encryption keys?

[SBarrett847]

No I'm probably going to avoid vTPM altogether, and simply Bit-locker the SAN / CSVs. Seems to be a much tidier solution.

[Mike Resseler]

Well,

It all depends on what the end-goal is no? I personally don't think Shielded VMs is a bad thing. But as we said, it comes with downsides. No item-level recovery. When you recover a VM it needs to be on a trusted host and sometimes you might need to do some special procedures depending on the recovery use-case (and how bad it is). If the tenants agree with the downsides and the potential slower recovery in favor of the additional security/ trust, then I see it as a good thing. However, if they want more usability, faster restore and other advantages (exportability for example) then they need to live with the downsides...