With KVM guest systems so prevalent now, I was wondering if there is any merit in using LUKS encrypted storage, as the guest will usually be always on, so the information is always accessible unencrypted to the guest, and thus to the host.
Are there other ways to make information harder to access from the host? Is the only way to securely store information on a KVM guest to never use it on that system, i.e. to store encrypted information only?
A guest's memory is still memory, and the host sets it up by allocating it. This means the host has full access to the KVM guest's memory. You would need hardware support to secure a KVM guest from a privileged user on the host. In particular, you would need to utilize Intel SGX to create a secure trusted environment. The newer memory encryption techniques like AMD SEV or Intel's upcoming MKTME can protect against cold boot attacks or logic analyzers on the memory bus, but not a compromised host.
I do not know if KVM or its frontends (e.g. QEMU) support running guests in an SGX enclave, but I think they do not. It is very difficult to run a full guest in an enclave due to the severe limitations placed on any code executing in SGX context. Most importantly, code in the enclave cannot run as ring 0. In order to make use of this trusted execution feature, it would likely be necessary to modify both the host and guest kernels so that sensitive computation can be offloaded from the kernel into an SGX enclave.
