How can I protect my virtual environments?
Virtual machine (VM) technology can be used for cost efficient and flexible processing in both on-premises and cloud environments. However, as VMs have become more popular, the chances of these being weaponized against users has increased.
In a typical data centre, there will often be around 25-30 VMs present on a single host. VMs will have access to a host computer’s files and data. To avoid the risk of detection or the activation of antivirus software, attackers are increasingly hiding ransomware payloads within virtual machines (VMs) when encrypting files on a host computer, with the aim to steal and exploit masses of data once the device boots up.
Having measures in place which focus on the security of virtual environments is essential. Without a vTPM, data centers and other ‘host’ environments cannot access the same security capabilities achieved in physical devices.
What is a vTPM?
A vTPM is a software-based representation of a traditional TPM 2.0 chip. It carries out the same hardware-based security functions a TPM, for example, attestation, key and random number generation – without the physical chip being required.
When would I need to use a vTPM?
A vTPM is especially useful when running a VM, a compute resource that executes programs and applications on software rather than a physical computer.
VMs give users the ability to satisfy varying levels of processing power requirements, overcome interoperability and enable the use of different operating systems and allow for the testing of applications within a safer, external environment. When looking to use a VM, the vTPM allows you to assess whether malicious activity has taken place and only run the boot process once validation checks have been successfully completed.
What sort of devices does a vTPM protect?
Unlike the TPM, the vTPM focuses less on the ‘host’ device itself, but rather the virtual environments being operated on it. A number of virtual ‘guest’ machines are able to run on a single ‘host’ machine, with each able to run its own operating system regardless of the rest. For these virtual machines, the vTPM operates as a TPM 2.0 virtual crypto coprocessor.
How does a vTPM work?
A vTPM emulates the secure storage capabilities of a TPM and executes these cryptographic operations within the software.
Once added to your virtual machine, the vTPM empowers the guest operating system to generate and store private keys to enhance the available security measures. Similar to the device-based TPM, any keys created are isolated from the system, reducing the risk of being compromized during an attack. The vTPM receives key information from a certificate authority (CA), which works exactly the encryption key (EK) found on a physical TPM.
The keys created by the vTPM will then only be used by the operating system for encryption and signing purposes, enabling you to remotely validate the identity and trustworthiness of your virtual machine. It will also verify the software run within it. Whether you have a new or an existing virtual machine, a vTPM can be integrated at any point to enhance your security measures. The vTPM leverages the security of the virtualization environment with the same isolation boundary hypervisor.
Where is a vTPM being used today?
Click here for details on an example of a vTPM implementation from Google.
Where can I find more information on a vTPM?
Interested in an overview of the solutions for other devices? See What is a Root of Trust?
Interested in a solution that secures physical devices? See TPM.
Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.
Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.