[dm-crypt] General question: Encrypytion on virtual servers (VPS/Vserver)

Daniel P. Berrange berrange at redhat.com
Tue Feb 21 17:33:54 CET 2017


On Tue, Feb 21, 2017 at 05:21:24PM +0100, Arno Wagner wrote:
> On Tue, Feb 21, 2017 at 14:58:07 CET, Daniel P. Berrange wrote:
> > On Tue, Feb 21, 2017 at 02:42:51PM +0100, michaelof at rocketmail.com wrote:
> [...]
> > If the attacker has access to the physical host while your VM is running,
> > then (with current hardware) there is essentially nothing you can do to
> > prevent a skilled person getting your master key out of VM memory. AMD
> > recently announced a memory encryption feature that might make it possible
> > to protect guest keys from a host attacker, but its still very early days
> > in its developement & integration into virtualization technology, so a very
> > long way off being available in any public hosting provider.
> 
> I think this is more about proteching VMs from each other than 
> from the Hypervisor, think memory deduplication, copy-on-write
> and caches that leak information from one VM to another.

Protecting the VM from the host is very much in scope of what AMD
is aiming to achieve with its SEV technology & KVM. The impl it
isn't there yet, but it is one of the intended targets.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|


More information about the dm-crypt mailing list