Keeping a Windows VM secure

[laserbeam273]

I'm looking to start up a business, and the bulk of the work will require Windows so I'll need to set up a VM on a mac. This VM would contain private client data that I can't risk losing (as in getting into someone else's hands - setting up a good backup system isn't hard). The data is for investment funds and includes trading history, so when I say "can't risk losing", I really mean it.

Originally I was thinking of getting a Mini to keep at home, which would store all the info, but I realised that I could just store the data on a hard drive and plug in my MBA.

But now I'm wondering if there's any way that I could have access to all the required files when I'm out with my MBA, but if someone were to steal my MBA and know what's on it, they still wouldn't be able to get to it. So I guess that leaves two options:
1. Files are purely "on the cloud", I download when I need them then upload changes, delete local copies. Access is strongly password-protected.
2. Files are all on my MBA, but are very strongly encrypted.

The volume of the data isn't much - maybe a dozen GB at first, but I'd be willing to pay a fair bit for a secure set up.

And just a reminder, the data is for Windows-based files.

Any suggestions?

 

[murphychris]

Use FileVault 2 for full disk encryption (Lion and Mountain Lion). The VM's virtual disk image is just a regular file, like any other, and it will be encrypted along with everything else. Easy.

 

[laserbeam273]

Use FileVault 2 for full disk encryption (Lion and Mountain Lion). The VM's virtual disk image is just a regular file, like any other, and it will be encrypted along with everything else. Easy.

I just had a quick search, and a company by the name of Passware supposedly has software that can break it in 40 minutes by finding the encryption key:

http://reviews.cnet.com/8301-13727_7-57369983-263/filevault-2-easily-decrypted-warns-passware/

 

[Lounge Deluxe]

I just had a quick search, and a company by the name of Passware supposedly has software that can break it in 40 minutes by finding the encryption key:

http://reviews.cnet.com/8301-13727_7-57369983-263/filevault-2-easily-decrypted-warns-passware/

This may sound obvious but if confidential information really shouldn't get lost or seen by third parties then don't store it on a portable computer or use a cloud service for its storage in the first place. And don't connect your system containing the confidential information to the internet either. A stand-alone system not connected to the internet using 256-bit encryption for each individual confidential file using different password for each individual confidential file could work out but may be cumbersome in practice. I'd start with a proper indemnification from your clients to you should any of the condifential information provided to you by your clients get disclosed unauthorized.

I've read the article you referred to and (fortunately) there's a lot more to it then cracking any Truecrypt/FileVault/Bitlocker encrypted drive within 40 minutes. Apple should respond though as it may certainly harm its reputation.

 

[murphychris]

I just had a quick search, and a company by the name of Passware supposedly has software that can break it in 40 minutes by finding the encryption key

That exploit is not unique to FileVault 2. If the volume is unlocked (you're logged in), and the computer is on or sleeping when the laptop is stolen, then it's a possible risk if stolen by someone who truly cares about the data. It would have to be a targeted theft or court order. Otherwise no one would go to the trouble of buying such expensive software. So before your laptop gets stolen, make sure you shut it down. Simple.

And if it's not that simple, and the data is that sensitive, it shouldn't be out in the open. One solution for that is centralized storage and encrypted network connection (VPN) to get access to the data, with a time out for the VPN connection.

 

[laserbeam273]

One solution for that is centralized storage and encrypted network connection (VPN) to get access to the data, with a time out for the VPN connection.

Ah something like that is the answer I was looking for! Ok awesome, I'll look into that. Thanks.

 

[murphychris]

Ah something like that is the answer I was looking for! Ok awesome, I'll look into that. Thanks.

Arguably you still need something like FileVault 2 because presumably you'll copy some of these files locally to work on, then push them back up to the server. And possibly you have confidential emails discussing confidential information: although that could also necessitate encrypting the email contents themselves, not merely how they're stored (incidentally) on your hard drive, in order to protect the contents through transmission to destination and ensure only an authorized person has the key to decrypt: i.e. public key encryption such as GPGTools, which integrates with Apple Mail.

The server itself should be spec'd for encrypted storage as well. There are two ways of doing this: disk firmware based encryption where the drive itself does the encryption, which is a feature found in specific models of enterprise class drives; and the other is software encryption. File Vault 2 is a Mac OS implementation example, for linux based NAS's which are quite common this is dmcrypt/LUKS. And both use a kind of AES encryption that modern CPUs have AES-NI instructions to accelerate. So even though it's done in software, there's CPU support specifically for encryption to make the performance penalty really next to nothing.

So for a small business it's entirely reasonable to use commodity disks, and software disk encryption, rather than go to the level of acquiring enterprise disks.

This is not merely to protect in the event the drives are stolen, but if the drives fail under warranty. You're entitled to an exchange but you can't drill a hole in those disks, but if the drive has failed how do you secure the data? Well, if it's encrypted, in effect it doesn't matter. You can turn over the encrypted disk and everything on it looks like random data.

 

[laserbeam273]

Arguably you still need something like FileVault 2 because presumably you'll copy some of these files locally to work on, then push them back up to the server. And possibly you have confidential emails discussing confidential information: although that could also necessitate encrypting the email contents themselves, not merely how they're stored (incidentally) on your hard drive, in order to protect the contents through transmission to destination and ensure only an authorized person has the key to decrypt: i.e. public key encryption such as GPGTools, which integrates with Apple Mail.

The server itself should be spec'd for encrypted storage as well. There are two ways of doing this: disk firmware based encryption where the drive itself does the encryption, which is a feature found in specific models of enterprise class drives; and the other is software encryption. File Vault 2 is a Mac OS implementation example, for linux based NAS's which are quite common this is dmcrypt/LUKS. And both use a kind of AES encryption that modern CPUs have AES-NI instructions to accelerate. So even though it's done in software, there's CPU support specifically for encryption to make the performance penalty really next to nothing.

So for a small business it's entirely reasonable to use commodity disks, and software disk encryption, rather than go to the level of acquiring enterprise disks.

This is not merely to protect in the event the drives are stolen, but if the drives fail under warranty. You're entitled to an exchange but you can't drill a hole in those disks, but if the drive has failed how do you secure the data? Well, if it's encrypted, in effect it doesn't matter. You can turn over the encrypted disk and everything on it looks like random data.

Sorry for the late reply. But wow, you know your stuff. I'll have to think this all through, but you're right - encrypting my drive will still be necessary even if I have them locally only temporarily. This sounds like a good security challenge!

 

[WesCole]

I would go with FileVault 2 as a start. Also, look into getting PGP encryption for windows, which requires a pre-boot password as well as the Windows login password. This should be good enough for "due diligence" when it comes to security.

Now, make sure you have a strong MacBook Air password, too, and set it to prompt you for that password every time you wake from sleep. If you use cloud storage, use a VPN so that even that data is encrypted while in transit.

Edit: If you really want to go overboard, use disk utility to create an encrypted disk image to store you VM of Windows, too. Nothing is 100% secure, but if you do all of this, you should be able to sleep well at night.

 

[laserbeam273]

I would go with FileVault 2 as a start. Also, look into getting PGP encryption for windows, which requires a pre-boot password as well as the Windows login password. This should be good enough for "due diligence" when it comes to security.

Now, make sure you have a strong MacBook Air password, too, and set it to prompt you for that password every time you wake from sleep. If you use cloud storage, use a VPN so that even that data is encrypted while in transit.

Edit: If you really want to go overboard, use disk utility to create an encrypted disk image to store you VM of Windows, too. Nothing is 100% secure, but if you do all of this, you should be able to sleep well at night.

Yeah I think that's how it's looking to be. Would be cool to have such a heavily secured MBA that not even decent hackers would be able to break into it (I say that quite hesitantly - hackers seem to be able to break through anything these days). All those layers of passwords should leave it to be quite secure.

I think SpiderOak could also play an important part in all this. It's so secure that if you forget your password, you're stuffed. And if the government requires access to the files, it's physically impossible unless you give them the password. Not bad.

One other point that I thought I should post - as of 10.7.2, supposedly the "FireVault" exploit no longer works as long as you're logged off. See here: http://ilostmynotes.blogspot.co.uk/2012/01/firewire-and-dma-attacks-on-os-x.html

So to summarise the possible setup:
1. MBA is password locked and will log off when I'm not near it
2. MBA harddrive is encrypted with FileVault 2
3. MBA harddrive is encrypted with PGP (double encryption, wow)
3a. Maybe an encrypted disk image for the below?
4. A SpiderOak-synced folder is set up (possibly password-restricted just for kicks), whether this is my only backup is debatable
5. Inside folder is a Windows VM, log in required
6. Inside Windows VM is crucial data, no internet access permitted

That sounds quite solid! Of course the following practices should be followed:
1. Use it only for work, i.e. no games and minimal browsing, and no "let's see if this random software could be good"
2. Close windows and log off when I'm not using it

I think that should do.

 

[Mr. Retrofire]

I just had a quick search, and a company by the name of Passware supposedly has software that can break it in 40 minutes by finding the encryption key:

http://reviews.cnet.com/8301-13727_7-57369983-263/filevault-2-easily-decrypted-warns-passware/

Apple fixed this bug in OS X 10.7.2 and higher:
http://support.apple.com/kb/HT5002

See also:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3215