Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Hyper-V

How Can I Encrypt Generation 1 Hyper-V VMs?

In this post, I’ll explain a new feature in Windows Server 2016 Hyper-V, called Key Storage Drive.

More Security

WS2016 Hyper-V is, in my opinion, the most secure hypervisor ever. Microsoft included many features to ensure trust in the host, to protect the host from guests, and to protect guests from rogue administrators. Some of these features included are as follows:

  • Shielded virtual machines: A system where the host management OS and hypervisor are validated by an independent hardware-based infrastructure. This solution also provides layers of insulation between the run-time guest OS and the host, therefore protecting against console access, data transfer, and so on.
  • Virtual TPM (vTPM): Generation 2 virtual machines have support for a vTPM chip. This allows guest OS administrators to enable BitLocker and protect themselves against rogue administrators (copy and mount the VHD/X files).

However, all of the above requires that you have deployed Generation 2 virtual machines. This is fine for new systems on modern OSs, but what about all of those legacy systems that are out there or those installations that require guest OSs that do not support UEFI?

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Key Storage Drive

Generation 1 virtual machines do not support vTPM, but Microsoft engineered a solution for these virtual machines. A special file, known as a Key Storage Drive, is attached to the IDE controller of the virtual machine. This file will be used instead of a vTPM to store the BitLocker secrets. The drive is created, prepared in the guest OS, and then the guest OS administrator can enable/deploy BitLocker.

It is important to note that Key Storage Drive cannot offer you the same levels of protection as vTPM and cannot provide the isolation and host assurance that is made possible by shielded virtual machines. But what you do get, as a guest OS administrator, is the ability to encrypt your virtual machines’ disks so that no one can mount them and peek at your data.

Using Key Storage Drive

The feature is simple to use:

  1. Edit the settings of your Generation 1 virtual machine.
  2. Browse to Security and click Add Key Storage Drive.
Adding a Key Storage Drive to a WS2016 Hyper-V Generation 1 virtual machine [Image Credit: Aidan Finn]
Adding a Key Storage Drive to a WS2016 Hyper-V Generation 1 virtual machine [Image Credit: Aidan Finn]
  1. You can view the new Key Storage Drive by browsing to IDE Controller 0, where the new security device is added to target 1 – target 0 is the OS disk.
  2. Now you should log into the virtual machine to configure BitLocker, which I will cover in another post.
Viewing a Key Storage Drive in a WS2016 Hyper-V Generation 1 virtual machine [Image Credit: Aidan Finn]
Viewing a Key Storage Drive in a WS2016 Hyper-V Generation 1 virtual machine [Image Credit: Aidan Finn]

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By