Developer Network

SRE-V Forums

« Back to SRE-V Technical Questions

RE: New Message from Jay Childs in Service Ready Engine Virtualization - Te

Combination View

Post New Thread

Jay Childs Posts: 4 Join Date: 4/21/11 Recent Posts	TPM for VM Encryption bitlocker tpm usb Answer 5/5/11 2:57 PM Mark as an Answer Submit Reply with Quote Quick Reply I have been experimenting with encrypting the guest OS on SRE via Bitlocker. To do this, it is necessary to eliminate Bitlocker's TPM (Trusted Platform Module) chip requirement via Windows group policy settings and use a storage-media based encryption key. So far I have been able to implement bitlocker by storing an encryption key on a small non-encrypted HDD partition in the guest OS, as well as via a floppy drive image stored in the hypervisor's data store. My question is - is there a TPM chip on the SRE module at all? If not, would it be possible to use something like a Cisco R200-TPM-1 module to impart TPM functionality to the SRE module? On a related issue, another alternative for Bitlocker is to use a USB memory stick to supply the encrypted OS with the required key. I have been able to get my guest OS to see a USB memory stick, but it does not appear that the USB drivers are loaded early enough in the VM boot process to allow the use of USB memory for the bitlocker key. Is there a way to force the USB driver to load earlier so that the VM can use this for the OS startup encryption key?
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

John Voss Posts: 19 Join Date: 9/19/08 Recent Posts	RE: New Message from Jay Childs in Service Ready Engine Virtualization - Te Answer 5/6/11 3:56 AM as a reply to Jay Childs. Mark as an Answer Submit Reply with Quote Quick Reply Hi Jay, There is no TPM chip on or available as an add on for the SRE module. The Cisco R200-TPM-1 module works only with the UCS C Series Rackmount Servers. It will not work with the SRE modules. We can do some investigation if there is a way to mount the USB drive earlier in the boot process. So far I haven't come across any documentation on how to do this, but we'll look into it and get back to you. Best Regards, John ________________________________ From: Cisco Developer Community Forums [mailto:cdicuser@developer.cisco.com] Sent: Thursday, May 05, 2011 6:58 AM To: cdicuser@developer.cisco.com Subject: New Message from Jay Childs in Service Ready Engine Virtualization - Technical Questions: TPM for VM Encryption Jay Childs has created a new message in the forum "Technical Questions": -------------------------------------------------------------- I have been experimenting with encrypting the guest OS on SRE via Bitlocker. To do this, it is necessary to eliminate Bitlocker's TPM (Trusted Platform Module) chip requirement via Windows group policy settings and use a storage-media based encryption key. So far I have been able to implement bitlocker by storing an encryption key on a small non-encrypted HDD partition in the guest OS, as well as via a floppy drive image stored in the hypervisor's data store. My question is - is there a TPM chip on the SRE module at all? If not, would it be possible to use something like a Cisco R200-TPM-1 module to impart TPM functionality to the SRE module? On a related issue, another alternative for Bitlocker is to use a USB memory stick to supply the encrypted OS with the required key. I have been able to get my guest OS to see a USB memory stick, but it does not appear that the USB drivers are loaded early enough in the VM boot process to allow the use of USB memory for the bitlocker key. Is there a way to force the USB driver to load earlier so that the VM can use this for the OS startup encryption key? -- To respond to this post, please click the following link: <http://developer.cisco.com/web/srev/forums/-/message_boards/view_messag e/3832279> or simply reply to this email.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top