+- Backup Education (https://backup.education)
+-- Forum: Hyper-V (https://backup.education/forumdisplay.php?fid=8)
+--- Forum: Questions XI (https://backup.education/forumdisplay.php?fid=24)
+--- Thread: How can you set up shielded VMs with a Host Guardian Service? (/showthread.php?tid=1151)
How can you set up shielded VMs with a Host Guardian Service? - savas - 12-03-2021
Setting up shielded VMs with a Host Guardian Service (HGS) might sound a bit daunting at first, but once you get the hang of it, it’s pretty straightforward. First things first, you need to make sure you have the right environment. You’re going to work with Windows Server 2016 or later because that’s what supports shielded VMs and HGS.
Once your base is set, you need to configure the HGS. Picture HGS as the gatekeeper; it’s responsible for ensuring that only trusted VM workloads are running. To start, you would need to install the HGS role on a dedicated server. This server can be either a physical machine or a VM, but it’s best to keep it isolated for security reasons. After you install the role, there’s a bit of configuration involved. You’ll set up the HGS to use either a certificate or Active Directory. Honestly, using certificates can simplify things if you're comfortable with them, as they help manage trust relationships.
Next, you'll want to register the HGS with your hypervisor. This involves configuring the Hyper-V settings to point to the HGS. You can do this through PowerShell, which is often faster and can save you some clicks. By running specific commands, you’ll be associating your hypervisor with your newly set up HGS, telling it to trust the VMs that get their cryptographic keys from your HGS.
Now, once the infrastructure is in place, we can start creating the actual shielded VMs. When you set up a VM, there's an option for it to be shielded. You'll want to specify that during the creation process. Here’s where it gets interesting: when you create a shielded VM, you need a few things on hand. You’ll have to create a security policy that defines the VM's security requirements. This policy can dictate things like which virtual network it can connect to and the type of encryption needed.
After that, you’ll generate a key for the VM, which will be stored securely in the HGS. This key is crucial because it allows your shielded VM to boot and function in a secure manner without the risk of unauthorized access. Everything here revolves around ensuring that, even if someone were to gain access to the VM files, they wouldn’t be able to decrypt or compromise them without the right keys.
When it comes time to deploy your shielded VM, just drop it in the Hyper-V environment as you would with any conventional VM. However, keep in mind that you cannot access the shielded VM using standard methods like Remote Desktop Protocol (RDP) since that's a no-go for security purposes. Instead, you would use a runtime access tool that allows you to interact with the VM while keeping security tight. This part can take a moment to get used to, but once you have it set up, it makes perfect sense.
Throughout this process, don’t forget about the maintenance side of things. You’ll want to regularly check on your HGS and ensure that its keys, updates, and configurations are all in line with best practices. This is essential to maintain a solid security posture and to ensure that your shielded VMs continue to operate without a hitch.
In the end, while it might require a bit of upfront work to set everything up, managing shielded VMs with HGS is a powerful way to protect sensitive workloads. Plus, it’s a cool project to tackle and definitely adds a solid feather to your IT cap!
I hope my post was useful. Are you new to Hyper-V and do you have a good Hyper-V backup solution? See my other post