issuhub.com

Mastering Windows Server 2016 Hyper-V

(Romina) #1

Table 5.2: Example Key Protector Content


GUARDIANENCRYPTION

CERT

SIGNING


CERT


TRANSPORT KEY


JSavillVMs MyEncCert    (pub) MySignCert

(pub)

TK1 encrypted   with

MyEncCert

SavTech SavEncCert  (pub) SavSignCert

(pub)

TK1 encrypted   with

SavEncCert

Azure AzEncCert (pub) AzSignCert    (pub) TK1   encrypted   with

AzEncCert

When a protected VM (shielded or encryption supported) tries to start, the saved
vTPM content must be decrypted to hydrate the actual synthetic TPM for the VM. If
the host running the VM is configured in local mode, it looks at the local guardians to
see whether any of the rows can be decrypted and therefore access the transport key,
which would enable the decryption of the encrypted vTPM state. If the host is in HGS
mode, the entire key protector is sent to its configured HGS service after the host has
attested to the HGS proving its health. The entire key protector, instead of just the
applicable HGS row, is sent for two reasons:


1 . The host    does    not know    which   row corresponds to  the HGS,    because the row

contains    only    the certificates    and not a   friendly    name    for the HGS.    Therefore,  by

sending the entire  key protector,  the HGS can parse   the key protector,  find    a   row it

can decrypt,    and then    send    back    the transport   key in  an  encrypted   form    that    the

virtual secure  mode    of  the host    can decrypt and use as  mentioned   at  the start   of

this    section.

2 . Each    time    a   VM  is  started,    the transport   key is  rolled  and a   new transport   key

generated   (for    example,    TK2),   which   will    be  used    to  encrypt the vTPM    state   on  disk

going   forward.    The HGS will    encrypt the new transport   key (TK2)   with    each    of  the

encryption  certs   for each    guardian    (remember,  the private key is  needed  to

decrypt)    and place   all in  a   new key protector.  This    is  sent    back    to  the host    to  use

going   forward,    along   with    the current TK1 needed  to  decrypt the current vTPM

content.

Once the key protector is created, it can be assigned to a VM, and the VM can be set as
shielded, and its TPM can be enabled.


$VMName="GuardedVM01"
Stop-VM -Name $VMName -Force


Set-VMKeyProtector –VMName $VMName –KeyProtector $KP.RawData
Set-VMSecurityPolicy -VMName $VMName -Shielded $true
Enable-VMTPM -VMName $VMName


Start-VM -Name $VMName


The VM is now shielded. Within the VM, the TPM would be enabled and BitLocker

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.