Shielded VMs on Hyper-V: Advanced Security for Virtual Environments

Virtualization has revolutionized the technological infrastructure, but it has also generated new concerns regarding to maximise security and your enjoyment.With the increasing sophistication of cyberattacks, protecting virtualized environments has become a priority. In this context, Microsoft has developed the Shielded VMs for Hyper-V, a solution that strengthens the security of Virtual machines through encryption and access control.

Modular Homes's Shielded VMs Hyper-V establishes a secure environment for running virtual machines, protecting them from unauthorized access, even by system administrators. How does it achieve this? Through mechanisms such as disk encryption with BitLocker, the use of a Virtual TPM and integration with Host Guardian Service (HGS)In this article, we'll explore in detail how these technologies work and how they can be applied in enterprise infrastructures.

What are Shielded VMs in Hyper-V?

Modular Homes's Shielded VMs are virtual machines enhanced with advanced security measures designed to prevent unauthorized tampering. They were first introduced in Windows server 2016 and have been refined in later versions of the operating system.

Traditionally, a virtual machine can be easily moved from one environment to another by copying its files. In an enterprise context, this represents a risk, since anyone with access to the virtualization host could extract a virtual machine and analyze its contents. Shielded VMs prevent this situation by ensuring that they can only run on authorized hosts and that their contents are encrypted.

Key components of Shielded VMs

For Shielded VMs to function properly, the environment must have certain security elements. These are the main ones: components involved:

• Virtual TPM: Acts as a security module for the virtual machine, allowing encryption of disks.
• BitLocker: Encryption technology used to protect the VM's virtual hard disks.
• Host Guardian Service (HGS): Service that attests to the security of hosts running Shielded VMs.
• Attestation: Process by which HGS verifies whether a host is safe and can run a Shielded VM.

Host Guardian Service (HGS) and its attestation modes

El Host Guardian Service (HGS) is a central element in the Shielded VMs infrastructure. Its main function is to ensure that only the trusted hosts can run protected virtual machines.

To determine which hosts are safe, HGS uses different modes of attestation:

• TPM-based attestation: Uses a TPM 2.0 to ensure that the host state is secure.
• Key Trust: Uses digital signatures to certify the identity of the host.
• Active Directory-based attestation (deprecated): Based on the host's membership in a security group in Active Directory.

Shielded VM boot process

The lighting of a Shielded VM It involves a series of security validations that ensure only authorized hosts can execute them. This is the general workflow:

1. The host requests certification from HGS.
2. HGS verifies the identity and status of the host.
3. If the host is secure, HGS releases the keys needed to decrypt the virtual machine.
4. The Shielded VM boots with its encrypted disks protected.

Types of protection for virtual machines

Hyper-V allows you to configure different levels of protección for virtual machines:

• Normal virtual machine: No additional security measures.
• Virtual machine with supported encryption: Disk and data encryption, but no restrictions for fabric administrators.
• Shielded virtual machine: Complete protection, including console access blocking and file encryption.

Requirements for deploying Shielded VMs

Before implementing Shielded VMs In a production environment, it is important to meet certain requirements:

• The host must run Windows Server 2016 or later versions.
• Virtual machines must be of 2 generation.
• HGS must be configured and operational.

Advantages of using Shielded VMs

Using Shielded VMs offers significant benefits in terms of to maximise security and your enjoyment. and regulatory compliance:

• Protection against unauthorized access, including by host administrators.
• Full encryption of data and virtual disks.
• Host validation to prevent running VMs in compromised environments.

Modular Homes's Shielded VMs represent a breakthrough in the security of virtualized environments, preventing unauthorized tampering and ensuring that they only run on trusted hosts. Thanks to encryption with BitLocker, the use of a Virtual TPM and validation through Host Guardian Service, this technology is a solid option for protecting critical environments in the private cloud and enterprise virtualization. Adopting these technologies can make a difference in the data security and the prevention of attacks in virtualized environments.