TPM for VM Encryption

Version 1
    This document was generated from CDN thread

    Created by: Jay Childs on 05-05-2011 09:57:34 AM
    I have been experimenting with encrypting the guest OS on SRE via Bitlocker.  To do this, it is necessary to eliminate Bitlocker's TPM (Trusted Platform Module) chip requirement via Windows group policy settings and use a storage-media based encryption key.  So far I have been able to implement bitlocker by storing an encryption key on a small non-encrypted HDD partition in the guest OS, as well as via a floppy drive image stored in the hypervisor's data store.
     
    My question is - is there a TPM chip on the SRE module at all?  If not, would it be possible to use something like a Cisco R200-TPM-1 module to impart TPM functionality to the SRE module?
     
    On a related issue, another alternative for Bitlocker is to use a USB memory stick to supply the encrypted OS with the required key.  I have been able to get my guest OS to see a USB memory stick, but it does not appear that the USB drivers are loaded early enough in the VM boot process to allow the use of USB memory for the bitlocker key.  Is there a way to force the USB driver to load earlier so that the VM can use this for the OS startup encryption key?

    Subject: RE: New Message from Jay Childs in Service Ready Engine Virtualization - Te
    Replied by: John Voss on 05-05-2011 10:56:22 PM
    Hi Jay,

    There is no TPM chip on or available as an add on for the SRE module.
    The Cisco R200-TPM-1 module works only with the UCS C Series Rackmount
    Servers.  It will not work with the SRE modules.

    We can do some investigation if there is a way to mount the USB drive
    earlier in the boot process.  So far I haven't come across any
    documentation on how to do this, but we'll look into it and get back to
    you.

    Best Regards,

    John

    ________________________________

    From: Cisco Developer Community Forums
    [mailto:cdicuser@developer.cisco.com]
    Sent: Thursday, May 05, 2011 6:58 AM
    To: cdicuser@developer.cisco.com
    Subject: New Message from Jay Childs in Service Ready Engine
    Virtualization - Technical Questions: TPM for VM Encryption


    Jay Childs has created a new message in the forum "Technical Questions":

    --------------------------------------------------------------
    I have been experimenting with encrypting the guest OS on SRE via
    Bitlocker.  To do this, it is necessary to eliminate Bitlocker's TPM
    (Trusted Platform Module) chip requirement via Windows group policy
    settings and use a storage-media based encryption key.  So far I have
    been able to implement bitlocker by storing an encryption key on a small
    non-encrypted HDD partition in the guest OS, as well as via a floppy
    drive image stored in the hypervisor's data store.

    My question is - is there a TPM chip on the SRE module at all?  If not,
    would it be possible to use something like a Cisco R200-TPM-1 module to
    impart TPM functionality to the SRE module?

    On a related issue, another alternative for Bitlocker is to use a USB
    memory stick to supply the encrypted OS with the required key.  I have
    been able to get my guest OS to see a USB memory stick, but it does not
    appear that the USB drivers are loaded early enough in the VM boot
    process to allow the use of USB memory for the bitlocker key.  Is there
    a way to force the USB driver to load earlier so that the VM can use
    this for the OS startup encryption key?
    --
    To respond to this post, please click the following link:

    <http://developer.cisco.com/web/srev/forums/-/message_boards/view_messag
    e/3832279>

    or simply reply to this email.