10/7/2023 0 Comments Data guardian 3While shielded VMs only automatically encrypt and protect the operating system disk, you can encrypt data drives attached to the shielded VM as well.ĭeployment of new shielded VMs from "trusted" template disks/images The BitLocker keys needed to boot the VM and decrypt the disks are protected by the shielded VM's virtual TPM using industry-proven technologies such as secure measured boot. Shielded VMs use BitLocker to protect their disks. Shielded VM assurances, from Key Protection Service and from creation methods for shielded VMsīitLocker encrypted disks (OS disks and data disks) HGS, together with the methods for creating shielded VMs, help provide the following assurances. Assurances provided by the Host Guardian Service Host key attestation provides similar host identification and is easier to set up. This mode was based on guarded host membership in a designated Active Directory Domain Services (AD DS) security group. Guarded hosts are approved based on possession of the key.Īnother mode named Admin-trusted attestation is deprecated beginning with Windows Server 2019. Requires fewer configuration steps and is compatible with commonplace server hardware. Host key attestation: Intended to support existing host hardware where TPM 2.0 isn't available. Guarded hosts are approved based on their TPM identity, Measured Boot sequence, and code integrity policies to ensure they only run approved code. Host hardware and firmware must include TPM 2.0 and UEFI 2.3.1 with Secure Boot enabled. TPM-trusted attestation: Offers the strongest possible protections but also requires more configuration steps. If you decide to move to TPM-trusted attestation when you acquire new hardware, you can switch the attestation mode on the Host Guardian Service with little or no interruption to your fabric. If you currently don't have TPM 2.0 or any TPM, you can use host key attestation. TPM-trusted attestation is recommended because it offers stronger assurances, as explained in the following table, but it requires that your Hyper-V hosts have TPM 2.0. Host key attestation (based on asymmetric key pairs).TPM-trusted attestation (hardware-based).The HGS supports different attestation modes for a guarded fabric: Attestation modes in the Guarded Fabric solution To learn more, see this video on Introduction to shielded virtual machines. The Attestation service ensures only trusted Hyper-V hosts can run shielded VMs while the Key Protection Service provides the keys necessary to power them on and to live migrate them to other guarded hosts. The HGS provides two distinct services: attestation and key protection. When a tenant creates shielded VMs that run on a guarded fabric, the Hyper-V hosts and the shielded VMs themselves are protected by the HGS. The diagram below shows how the Host Guardian Service uses attestation to ensure that only known, valid hosts can start the shielded VMs, and key protection to securely release the keys for shielded VMs. 1 Host Guardian Service (HGS) (typically, a cluster of 3 nodes).Shielded VMs and guarded fabric enable cloud service providers or enterprise private cloud administrators to provide a more secure environment for tenant VMs. A shielded VM is a generation 2 VM (supported on Windows Server 2012 and later) that has a virtual TPM, is encrypted using BitLocker, and can run only on healthy and approved hosts in the fabric. To help protect against compromised virtualization fabric, Windows Server 2016 Hyper-V introduced shielded VMs. Protecting high value assets in your organization, such as domain controllers, sensitive file servers, and HR systems, is a top priority. If a virtual machine gets out of an organization (either maliciously or accidentally), that virtual machine can be run on any other system. This is a fundamental danger for every virtualization platform today, whether it's Hyper-V, VMware or any other. In addition to protecting hosts or other virtual machines from a virtual machine running malicious software, we also need to protect virtual machines from a compromised host. Virtualization security is a major investment area in Hyper-V. Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |