This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] Vm Encrypted

To: "Rudi Ahlers" <Rudi@xxxxxxxxxxx>
Subject: RE: [Xen-users] Vm Encrypted
From: "James Dingwall" <james.dingwall@xxxxxxxxxx>
Date: Fri, 23 May 2008 18:57:54 +0100
Cc: Michael Lessard <michael.lessard@xxxxxxxxx>, Xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 23 May 2008 10:58:30 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <4836E4B6.3020405@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <c5530b840805221206v576a6861xb0a2e0809ab2e6e5@xxxxxxxxxxxxxx> <683099EDC3E36D40942EBF636EB88BF004E479F1@xxxxxxxxxxxxxxxxxxxxxxxx> <4836E4B6.3020405@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Aci86vddP6zBg2zFSKKHOIOOoDuPvQAEu28A
Thread-topic: [Xen-users] Vm Encrypted
James Dingwall wrote:
>>> Is it possible to encrypt a VM ? 
>> Is it just the disk you want to encrypt?  That should be no problem
>> you would need to decide if you want to do it in dom0 or the domU.
>> you do it in the dom0 then it would have an advantage of working with
>> operating systems (if you do hvm) that don't support disk encryption
>> natively.  You probably want to look at dm-crypt
>> http://www.saout.de/tikiwiki/tiki-index.php or similar.
>> James
>If one encrypts a VM, would you need to supply the decryption key 
>everytime the server reboots in order to get the VM working again?

If you encrypt at dom0 level then you would only need to supply the key
at dom0 boot.  The fact that the block device is encrypted would be
totally transparent to the domU.  If you are suggesting not having to
supply the key when the dom0 boots then what are you looking to guard
against?  I think dm-crypt can grab a decryption key from external
devices, e.g. a usb key but that would still need to be plugged in to
the server.


This message and the information contained herein is proprietary and 
confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>