0

I am pretty new into virtualization with KVM/QEMU and I have a security question. Which is the best way to encrypt virtual machines? Back when I was using windows, I enforced bitlocker on every drive on my computer. Now I have some windows installations on encrypted qemu containers. Should I stick with this approach or I should enforce bitlocker inside the virtual machines? Is there a performance issue, if I use both encryption approaches.

Thanks a lot

Apostolos Athanasiou
  • 56
  • 5

1 Answers1

0

OK, it took me a while but I figured out a few things. First of all, qcow2 images is not the fastest way to go. Currently, since I have several physical disks in my server, I pass through whole partitions to my VMs Add physical partition to QEMU/KVM virtual machine in virt-manager

Then I passthrough the TPM module in my VM. This allows me to encrypt drives with bitlocker as if I had a real PC.

I hope this helps.

Apostolos Athanasiou
  • 56
  • 5
  • Apparently this is not an optimal solution to the problem. KVM allows to pass TPM only in one VM (which actually makes sense). I moved my VMs into qemu containers again – Apostolos Athanasiou Mar 25 '19 at 20:36
  • Well I'm using this approach with a password instead of the TPM. – Marc.2377 May 31 '21 at 18:07
  • 1
    @ApostolosAthanasiou You might consider looking into this again. When Windows 11 came out with a requirement for secure boot / TPM. Alot of effort went into shoring up support for virtualized Trusted Platform Modules, Proxmox VE 7.1, OpenStack, HyperV, ESXi, and many others, now support it. Back in 2019 / when you asked the question. Support for vTPM was weaker than it is today. (now a lot of virtualized bios/virtual UEFI's support it) (Also it depends on your requirements, but you may be able to just use something like encrypted volumes on a Ceph Cluster and boot VMs from that.) – neoakris Mar 16 '22 at 00:22
  • @neokyle thanks for the information! I will definitely revisit this item. – Apostolos Athanasiou Mar 17 '22 at 04:29