my personal blog about systemcenter

Archive for September, 2015

Deduplication and Compression vs Encrypted VM’s

Categories: Bitlocker, Compression, Deduplication, Hyper-V, Windows Server 2016
Comments Off on Deduplication and Compression vs Encrypted VM’s

So with 2016 server we now have the ability to enable virtual TPM inside fhe VM to help protect data from threats from anywhere to a rouge san snapshots to a stolen backup tape.

D:\New folder>ddpeval.exe “D:\UNSECURE”
Data Deduplication Savings Evaluation Tool
Copyright (c) 2013 Microsoft Corporation.  All Rights Reserved.

Evaluated folder: D:\UNSECURE
Evaluated folder size: 17,38 GB
Files in evaluated folder: 6

Processed files: 6
Processed files size: 17,38 GB
Optimized files size: 4,52 GB
Space savings: 12,87 GB
Space savings percent: 74

Optimized files size (no compression): 7,93 GB
Space savings (no compression): 9,46 GB
Space savings percent (no compression): 54

Default VM 54% deduplication with 2 default installed guests , sure this number will screw when data is added but just to give a small example

D:\New folder>ddpeval.exe “D:\SECURE”
Data Deduplication Savings Evaluation Tool
Copyright (c) 2013 Microsoft Corporation.  All Rights Reserved.

Evaluated folder: D:\SECURE
Evaluated folder size: 20,41 GB
Files in evaluated folder: 6

Processed files: 6
Processed files size: 20,41 GB
Optimized files size: 19,36 GB
Space savings: 1,06 GB
Space savings percent: 5

Optimized files size (no compression): 19,46 GB
Space savings (no compression): 981,13 MB
Space savings percent (no compression): 4

Files excluded by policy: 0
Files excluded by error: 0

The same 2 VM now with inguest bitlocker , almost all of the effect from deduplication is now gone , so secured VM’s will hurt storage cost if you rely on array based compression and or deduplication.

Sure not all VM’s will be encrypted but seeing this from a hoster perspective I can see all VM’s being encrypted

Shielded VM’s a new era for secured VM

Categories: Hyper-V, Windows Server 2016
Comments Off on Shielded VM’s a new era for secured VM

With the preview of Windows Server 2016 , we have a new feature that can help improve security.

With Shielded VM’s we can add a Virtual TPM module to each VM and use that to encrypt the content of the Virtual Machine.

The step by step guide to add this is provided by Microsoft here https://aka.ms/shieldedVMs

Its supported for VM’s and VM’s managed by Windows Azure Pack

For deployment there is supported for a dedicated AD forest or using hardware with TPM2.0 but the servers that support this as if this writing is hard to find (Surface works for testing) , so this have been testing in our playground using a dedicated AD forest

After initial setup of the dedicated forest and installation of the Host Guardian Server we need to add protection to the VM’s

So here we have a dedicated forest that holds the Host Guardian Servers and have a oneway trust to the forest where our Hyper-V hosts and VM’s are located , this will enable us to secure the VM in the hosted environment , this will prevent a Hyper-V administrator to access data within a VM , this is also the same for Backup Operators

For compliance and in environments where encryption is a requirement this is a very big step to ensuring security across the hypervisor

PS C:\> $KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian –AllowUntrustedRoot ( this is due to no dedicated PKI testing only)

PS C:\> Add-VMTPM -VMName SECURE01
PS C:\> Add-VMTPM -VMName SECURE02
PS C:\>
PS C:\> Set-VMTPM -vmname SECURE01 -Enabled $true -KeyProtector $KP.RawData
PS C:\> Set-VMTPM -vmname SECURE02 -Enabled $true -KeyProtector $KP.RawData

image

This add TPM information to the Virtual Machine and enforces Secure Boot , this works with Gen2 VM’s only

image

This is our VM before we enable vTPM

image

And this is our VM after vTPM have been enabled

If we then encrypt our VM with bitlocker and then try to open a “stolen” copy of the VM

image

We cant Smile

This was just a small teaser to show a area of Hyper-V 2016 Security Enhancements will dive a little deeper in the securing the enviroment using ShieldedVM’s later