Keeping a Windows VM secure

Use FileVault 2 for full disk encryption (Lion and Mountain Lion). The VM's virtual disk image is just a regular file, like any other, and it will be encrypted along with everything else. Easy.

 

This may sound obvious but if confidential information really shouldn't get lost or seen by third parties then don't store it on a portable computer or use a cloud service for its storage in the first place. And don't connect your system containing the confidential information to the internet either. A stand-alone system not connected to the internet using 256-bit encryption for each individual confidential file using different password for each individual confidential file could work out but may be cumbersome in practice. I'd start with a proper indemnification from your clients to you should any of the condifential information provided to you by your clients get disclosed unauthorized.

I've read the article you referred to and (fortunately) there's a lot more to it then cracking any Truecrypt/FileVault/Bitlocker encrypted drive within 40 minutes. Apple should respond though as it may certainly harm its reputation.

 

That exploit is not unique to FileVault 2. If the volume is unlocked (you're logged in), and the computer is on or sleeping when the laptop is stolen, then it's a possible risk if stolen by someone who truly cares about the data. It would have to be a targeted theft or court order. Otherwise no one would go to the trouble of buying such expensive software. So before your laptop gets stolen, make sure you shut it down. Simple.

And if it's not that simple, and the data is that sensitive, it shouldn't be out in the open. One solution for that is centralized storage and encrypted network connection (VPN) to get access to the data, with a time out for the VPN connection.

 

Arguably you still need something like FileVault 2 because presumably you'll copy some of these files locally to work on, then push them back up to the server. And possibly you have confidential emails discussing confidential information: although that could also necessitate encrypting the email contents themselves, not merely how they're stored (incidentally) on your hard drive, in order to protect the contents through transmission to destination and ensure only an authorized person has the key to decrypt: i.e. public key encryption such as GPGTools, which integrates with Apple Mail.

The server itself should be spec'd for encrypted storage as well. There are two ways of doing this: disk firmware based encryption where the drive itself does the encryption, which is a feature found in specific models of enterprise class drives; and the other is software encryption. File Vault 2 is a Mac OS implementation example, for linux based NAS's which are quite common this is dmcrypt/LUKS. And both use a kind of AES encryption that modern CPUs have AES-NI instructions to accelerate. So even though it's done in software, there's CPU support specifically for encryption to make the performance penalty really next to nothing.

So for a small business it's entirely reasonable to use commodity disks, and software disk encryption, rather than go to the level of acquiring enterprise disks.

This is not merely to protect in the event the drives are stolen, but if the drives fail under warranty. You're entitled to an exchange but you can't drill a hole in those disks, but if the drive has failed how do you secure the data? Well, if it's encrypted, in effect it doesn't matter. You can turn over the encrypted disk and everything on it looks like random data.

 

I would go with FileVault 2 as a start. Also, look into getting PGP encryption for windows, which requires a pre-boot password as well as the Windows login password. This should be good enough for "due diligence" when it comes to security.

Now, make sure you have a strong MacBook Air password, too, and set it to prompt you for that password every time you wake from sleep. If you use cloud storage, use a VPN so that even that data is encrypted while in transit.

Edit: If you really want to go overboard, use disk utility to create an encrypted disk image to store you VM of Windows, too. Nothing is 100% secure, but if you do all of this, you should be able to sleep well at night.

 

Apple fixed this bug in OS X 10.7.2 and higher:
http://support.apple.com/kb/HT5002

See also:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3215