Securing VM data at rest with TPM Passthrough or other options

9

9InchPianist

New Member
Dec 22, 2015
1
0
1
44
Greetings all.

I have a Windows 10 VM running on a Proxmox workstation, and have the following requirements:
  1. I must secure the data at rest in case the physical host machine is stolen
  2. The VM should be able to boot without user interaction due to using GPU passthrough and not having access to the console via VNC.
Since this is the only machine that I need to protect at present, the encryption could be handled in the guest OS, but I am equally happy to explore encryption options on the host (i.e. Proxmox) side.

One thought is to pass the TPM of the physical workstation through to the VM, which looks like it can be done with KVM, but not sure how to do this in Proxmox as there is no XML file to edit, only the conf files.

The other thought is to try and sit ZFS on top of LUKs.

I'm interested to know other people's experience and thoughts on the matter before I subscribe.

9IP.
 
Last edited:
I know this is a really old thread, I'm just curious as to what you ended up going with? I have a few encrypted VM's, I've set up encryption within the guests for easy handling of secure backups. I use a LUKS encrypted virtual disk on the host to store small virtual disks that each hold a decryption key for it's corresponding guest, (obviously with the skip backup setting on guest configuration). When I reboot the host, I just ssh in and mount the encrypted virtual disk that holds the images for the decryption key disks, then my encrypted VM's can be booted without a password, and the data at rest is also secured. This works with Windows and Linux guests.
 
@dlford
dlford said:
I know this is a really old thread, I'm just curious as to what you ended up going with? I have a few encrypted VM's, I've set up encryption within the guests for easy handling of secure backups. I use a LUKS encrypted virtual disk on the host to store small virtual disks that each hold a decryption key for it's corresponding guest, (obviously with the skip backup setting on guest configuration). When I reboot the host, I just ssh in and mount the encrypted virtual disk that holds the images for the decryption key disks, then my encrypted VM's can be booted without a password, and the data at rest is also secured. This works with Windows and Linux guests.
Click to expand...

Are you still using this solution for windows VM's as well? If so what program in windows are you using to do the encryption?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back