7

BitLocker can be used as a cryptographic module to fulfill FIPS 140-2 security level 1 compliance.

What if the encrypted drive is on a virtual machine, is that still FIPS 140-2 compliant?

In one BitLocker virtual machine setup, one of the drives or volumes on the virtual machines' host can acts as a cryptographic key provider to hold the cryptographic key.

The only problem is that this kind of seems like BitLocker implementation mostly subverts the protection that BitLocker is providing in the first place.

In the article entitled "BitLocker Drive Encryption in Windows 7: Frequently Asked Questions" microsoft states that they do not support the use of BitLocker on a virtual machine.

Can I use BitLocker within a virtual machine operating environment?

BitLocker is not supported for use within a virtual machine. Do not run BitLocker Drive Encryption within a virtual machine. You can use BitLocker in the virtual machine management operating system to protect volumes that contain configuration files, virtual hard disks, and snapshots.

But what does this mean for FIPS 140-2 compliance and a virtual machine?

If Microsoft does not support it, is BitLocker still FIPS 140-2 compliant in a virtual machine?

Mark Rogers
  • 508
  • 3
  • 18

1 Answers1

5

There's an interesting discussion on this topic. I would agree with this assessment that a virtual drive holding the encryption key would not qualify as FIPS 140-2 compliant.

In the security policy, §2.3 describes the platforms on which the certification applies: it lists several versions of Windows, with no reference to any particular hardware. Then §6 describes usage requirements that must be met in order for the certificate to apply. One of the FIPS-compliant startup mechanisms listed in §5.2 must be in use, therefore the machine must have a PIN pad, a USB connection or a TPM. The policy does not explicitly describe the connection between the machine running Windows and these peripherals, therefore a virtual machine would be acceptable.

A virtual thumb drive would be a different matter. As there is no actual USB involved, I don't think the language can be construed to cover this case.

That said, CREDANT Manager for BitLocker make a BitLocker encrypted drive on a virtual machine comply with FIPS 140-2.

CREDANT Manager for BitLocker forms part of a single, central management solution which helps ... offer an integrated approach to managing encryption across other, non-BitLocker platforms; physical, virtual and Cloud-based.

... the encryption management solution provides simple, centrally managed key recovery and is FIPS 140-2 validated.

I suspect there are other central key management solutions. CREDANT was just the first one I found.

Community
  • 1
Chris K
  • 446
  • 2
  • 6