Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
Wes

Senior Member
Registered:
Posts: 206
Reply with quote  #1 
For you guys who have to be concerned with encrypting data at rest (file servers, exchange servers, etc) are you doing so at the host or guest level, and why?
0
JamesNT

Senior Member
Registered:
Posts: 139
Reply with quote  #2 
We are doing so at the host level.  Understanding is that encrypting inside the guest is not supported.  Furthermore, you have TPM at the host level and all that.

JamesNT

__________________
I miss Windows NT 4.0 Service Pack 4.
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 226
Reply with quote  #3 
Quote:
Originally Posted by JamesNT
Understanding is that encrypting inside the guest is not supported. 

The understanding is not 100% correct. BitLocker is not supported on boot drives of VMs, or, to be even more precise, on bootable VHDs ( https://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_Other ). Data of significance are not usually stored on boot drives so no problem here.

Quote:

Furthermore, you have TPM at the host level and all that.

Right, 'all that' including the usage of CPU features not (or only partially) supported in a VM, meaning BitLocker is slower and potentially needs more cycles. But virtualization is seldom CPU constrained so maybe it's not a big one. TPM can be virtualized on Xen or QEMU.

BUT.
Unlike a physical disk where you usually notice that it has been stolen, a VHD or VMDK is more easily copied off a running system (i.e. already decrypted). By using VM level encryption you can mitigate that so even if somebody copies your VHD she has to break encryption first in order to get to what's on there.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Mark

Hacked Mark's Facebook Account
Registered:
Posts: 268
Reply with quote  #4 
I'm assuming here that everyone knows that Server 2016 will be able to provide "virtual TPMs" that can be used to bitlocker VHDs.  But of course it's not available yet save in preview.
__________________
May I ask that everyone please populate the first name and last name in your user account profile.  Thanks!
0
JamesNT

Senior Member
Registered:
Posts: 139
Reply with quote  #5 
Evgenij,

You'd be surprised at how much data to this day is still stored on boot drives.  SMB's are still notorious for it.  Even large companies.  Storage is still, for many, the number one IT cost.

JamesNT

__________________
I miss Windows NT 4.0 Service Pack 4.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 808
Reply with quote  #6 
Quote:
Originally Posted by JamesNT
Evgenij,

You'd be surprised at how much data to this day is still stored on boot drives.  SMB's are still notorious for it.  Even large companies.  Storage is still, for many, the number one IT cost.

JamesNT


Azure SSD Servers have massive C drives that you pay for from get go. ..
Is the assumption made that you partition the C drive to 80GB or so and use the other 2 50GB ish as a D/ E/ F drive.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Mark

Hacked Mark's Facebook Account
Registered:
Posts: 268
Reply with quote  #7 
Joe, my understanding is that you're only charged for the USED space on the 127GB C: drives on Azure VMs.
__________________
May I ask that everyone please populate the first name and last name in your user account profile.  Thanks!
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 808
Reply with quote  #8 
Mark as I've been told the spinning disk is per useage and SSD is as a chunk that you deploy.

As marketing has gotten at the documentation now, the best I can find on a MS site is as follows

Disk Storage

Reference - second last + expansion
https://azure.microsoft.com/en-us/pricing/details/storage/

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.