Encrypt Virtual Machine in the cloud

Question

I am no expert when it comes to security in virtualized environments.

However a problem I always saw is: What happens if the host OS gets hacked and an attacker gains administrative privileges?

How can I protect a VM in the (public) cloud against such threats?

As far as I know there do exist solutions like encrypting the storage layer or encrypting the VM's RAM. Unfortunately I never saw a tutorial describing how to apply those techniques. Are there instructions on how to do this without resorting to one of the providers' proprietary solutions?

Alexander · Accepted Answer · 2012-10-06T16:39:36.353

While Thomas Pornin is correctly pointing out that the only way to trust a host under attack is using fully homomorphic encryption in practice you can try to work around this requirement.

A potential attacker has full control of CPU, memory and disk. So it is not possible to do any calculations on valuable data in a VM that might not be under your control. On the other hand it is often not necessary. If you want to use your VM as a database or storage / backup service the VM never needs access to unencrypted information. You could store files or entries in a database, store hashes of the encrypted files or file names and e.g. sort for file size or retrieve a certain file where the client supplies the file name as a hash value.

Such a scheme limits what you can do with your data but given a good encryption it is impossible for an attacker to steal your data. In the worst case they can modify it, so you need encrypted signatures to prevent tampering of the data.

A popular example is boxcryptor, which uses an encrypted container to store files securely at different cloud providers. Another is duplicity, which allows encrypted backups using rsync and GnuPG.

Encrypting the storage of the VM itself by, e.g. truecrypt or Bitlocker does not increase the security level significantly. It might thwart an attack if the VM is powered off but as soon as you run it the OS needs the key to access the encrypted volume and at that moment a potential attacker can get hold of the key as well.

Thanks for sharing that best-practice. It was hard to decide who gave the "right answer" regarding the original question - you or Thomas Pornin. I decided to give the tick to you, since your advice explains a practical workaround for the problem Thomas pointed out. For anyone who finds this post: Alexander's advice is to read and store encrypted data in the cloud but having the key to decrypt that data somewhere else. As Alexander stated: That limits the abilities of such a solution in trade for increased security. Thanks Alexander! — Emi, Oct 07 '12 at 09:10

score 8 · Answer 2 · answered Oct 06 '12 at 13:12

8

If the host is hostile then resistance is futile.

The host can read the disk, RAM and CPU state of your VM. Only fully homomorphic encryption would save you, but it does not work yet (Science has not uncovered an efficient solution yet; but that's just a factor one billion or so, therefore we can still hope for something... later on).

answered Oct 06 '12 at 13:12

Thomas Pornin

320,799
57
780
949

1

[Immutable Law of Security #6](http://technet.microsoft.com/en-us/library/hh278941.aspx) - A computer is only as secure as the administrator is trustworthy. – Polynomial Oct 06 '12 at 13:25
Are you saying that an encrypted disk (in the VM) would have no effect on what the Host sees? I thought this would make it at least a bit harder for an attacker to steal data. – Emi Oct 06 '12 at 13:35
@Emi If the guest can access the data, the host can access the data. For instance, a symmetric encryption key that allows the guest to decipher or encrypt blocks of data, must be held somewhere in the guest machines's memory for it to be of use. Since the guest's memory is really the underlying host's memory, the host can readily access the area containing the guest's key. Now the attacker on the host has a copy of the key and can go on to read or modify the data as he pleases. – Roy Jul 19 '16 at 08:36

score 4 · Answer 3 · answered Oct 06 '12 at 14:30

Other people are speaking in absolutes (in theory). Yes, if attacker has access to the host OS, then your VM can no longer be considered secure, in theory. However, to do this in practice, it requires some non-standard hacking work, which implies this is a targeted attack against YOU, because there will be plenty of other VMs that will not be encrypted and would be far easier targets than your VM. Full disk encryption in the cloud will protect you in the crowd of other VMs, but if you are targeted specifically, you're dead. There is no absolutely secure system, just different difficulties in accessing it. Disk encryption increases the difficulty. If you want better security, run your own host, but only if you are competent, otherwise it could be worse.

score 2 · Answer 4 · answered Oct 06 '12 at 13:08

2

Your problem here is the same old one- an attacker who has access to the physical box, or in this case the host, can gain access to your VM.

This is one of the risks you need to take into account if you outsource things- you use your contract with the provider to give you the assurance you need.

answered Oct 06 '12 at 13:08

Rory Alsop

61,367
12
115
320

Well, the contract is just one side. When those paragraphs come into action, it is already to late, since the attack was successful. Are there any techniques to reduce the mentioned risk in any way? – Emi Oct 06 '12 at 13:39

score 0 · Answer 5 · answered Oct 09 '12 at 19:03

0

Split your data across many VM's, hosted by different hosts (and providers, if possible) so data from single VM are useless. Of course that could kill usability and/or performance. Very rough idea.

answered Oct 09 '12 at 19:03

lubas

367
1
2

score 0 · Answer 6 · answered Oct 17 '13 at 21:08

Use full disk encryption if you can, where you can. Full disk encryption will only mature, and precludes physical attack, which is time off in security work for the real issues with logical access. By physical attack, I mean from the VM BIOS, keystroke loggers. Also would protect the drive from being mounted from elsewhere if the surrounding infra was stolen and taken off line, as opposed to actively being attacked. I think that particular threat model sounds major enough to me for it to swing the decision to use FDE if possible and if you have covered off any bigger security issues.

score -1 · Answer 7 · answered Jan 31 '14 at 21:36

I believe protecting VM in a remount host is not easy. The best that you need to do as follows: First: Establish mutual trust between you and the visited host.

Second: Add verification tools within your VM to detect abnormal behaviors in the Visited host.

Third: Add protection mechanisms to protect the most sensitive data that VM deals with.

You might need to put "VM Obfuscation " under your consideration.

Thanks

Encrypt Virtual Machine in the cloud

7 Answers7

Linked