Engine Disks and Encryption XenClient Enterprise 4.5 Engine Disks and Encryption
Table of Contents Engine Disks and Encryption Engine Disk Sizing Page 1 Table of Contents Page 2 Disk Encryption Overview Page 3 Disks, Partitions, Volume Groups, and Volumes Page 4 Logical Volume Summary Page 5 Why is not the Boot Volume Encrypted? Page 6 Encrypted vs. Unencrypted Installation Page 7 Checking Computer Encryption Status Page 8 Engine Disk Sizing Page 9 How Many Bytes In a Gigabyte? Page 10 Engine Disk Sizing Calculations Page 11 Disk Sizing Example Page 12 Encrypted Boot Sequence Page 13 Before Computer Startup Page 14 Encryption Unlock Screen Page 15 User Enters Unlock Password Page 16 Repository Volume Unlock Page 17 Boot Process Complete Page 18 Encryption Setup and Passwords Page 19 Encryption Setup Page 20 Password Validation After Encryption Unlock Page 21 Resetting Encryption Passwords Page 22 User Prompt To Change Encryption Password Page 23 Unlock Password vs. Active Directory Password Page 24 Encryption and Networking Page 25 Synchronizer Unlock Code Page 26 Encryption Lockout Page 27 Computer Storage Report Page 28 Page 29 Computer Storage Report Results Page 30 Total Space Page 31 Engine Space Page 32 Virtual Machines Space Page 33 Virtual Machine Space Used Page 34 Additional Virtual Machine Space Required for Growth Page 35 Summary Results Page 36 Example of VHD Growth With 30 GB Local Disk Page 37
Disk Encryption Overview Disk Encryption Features Resources are protected at the logical volume layer. All Virtual Machine (VM) disks, engine configuration data, and log files. Encryption remains intact if the disk is removed from the computer. Easy to configure and manage Encrypted computers. Encryption is an install-time option, no further configuration required. Encryption does not impact management operations in Synchronizer. Minimal impact to end-users. No understanding or awareness of encryption is required. Minimal impact on overall VM performance for most typical use cases. Encryption Standards and Technologies AES 256-bit encryption (specifically, AES-CBC-ESSIV with SHA256 hash). Uses standard Linux modules (dm-crypt, lvm2, LUKS, etc). What is not Supported Yet Integration with Intel vPro trusted boot features (TXT/TPM). Smart cards or two-factor authentication to unlock encryption. These are features under consideration for a future release.
Disks, Partitions, Volume Groups, and Volumes Hard Disk Partitions Volume Group Logical Volumes Boot Volume (primary) Boot Volume (secondary) Root Volume (primary) Root Volume (secondary) Swap Space Volume Log Volume Engine Repository Volume XCE Engine only supports a single hard drive per computer. Up to 4 primary partitions. XCE Engine only uses one partition. Others might be used to dual-boot another operating system. The partition containing the Engine installation is configured into a LVM Logical Volume Group. Several logical volumes are created within the group containing different parts of the XCE Engine installation.
Logical Volume Summary Encrypted* Size Description Primary Boot No 128 MB Boot volume for the current version of XCE Engine. Secondary Boot Boot volume for the previous version of XCE Engine. Primary Root Yes 2048 MB Contains the dom0 root file system for the current version of XCE Engine. Secondary Root Contains the dom0 root file system for the previous version of XCE Engine. Swap 512 MB Swap space. Log Used to store log files. Repository Balance of Volume Group This volume uses most of the disk space. Used to store: VHD files for all installed Virtual Machines (VMs) VHD files for the Connect VM Engine update kits downloaded from Synchronizer Engine diagnostics and problem reports *If the disk encryption option is chosen during Engine installation.
Why is not the Boot Volume Encrypted? Boot Volume Does Not Require Encryption Boot volume does not contain any data that requires encryption. All sensitive data is stored in encrypted volumes. Contents of boot volume cannot be used to unlock encrypted volumes. Engine Cannot Boot Encrypted Partitions Booting from encrypted volumes is not currently supported. This is an area of investigation for a future release.
Encrypted vs. Unencrypted Installation Encryption status is set when Engine is installed. Cannot change encryption status after installation. Enabling or disabling encryption requires a full Engine reinstall.
Checking Computer Encryption Status In the Engine Control Panel Start the Engine control panel. Select the “Tools by Category” view. Start the “System Summary” applet. The encryption status appears in the Hardware section. In the Synchronizer Console Locate the computer in the navigation panel. Select the “Summary” tab. The encryption status appears in the General section. After Rebooting a Computer If the Engine asks for a username and password, then encryption is not enabled. If the Engine only asks for a password, then encryption is enabled.
Engine Disk Sizing
How Many Bytes In a Gigabyte? Disk Manufacturers 1 GB = 1,000,000,000 (109) bytes Windows 1 GB = 1,073,741,824 (230) bytes XenClient Enterprise uses the Windows standard. The difference is about 7%. Must account for this difference when sizing hard drives. Might be significant for smaller drives (especially SSDs).
Engine Disk Sizing Calculations This is a rough calculation designed to give a conservative estimate of the required computer disk space, based on the VMs that will be installed. Start with 10 GB to account for disk space used by the Engine. For each VM deployed from Synchronizer: Add the size of the system disk multiplied by 2.0. Add the size of the user disk multiplied by 1.5. Add the size of the local disk. For each VM installed locally on Engine: Add the size of the system disk. Add 10 GB if the Dock is enabled in the Engine policy. Multiply the result by 1.07. This calculation is designed to give a conservative answer that should minimize the risk of disk over-subscription under most circumstances. Actual disk space requirements might be significantly less, but can be difficult to predict.
Disk Sizing Example Engine 10 GB Dock (enabled in Engine policy) Windows XP VM (deployed from Synchronizer) 16 GB system disk (x2.0) 8 GB user disk (x1.5) 4 GB local disk 48 GB Windows 7 VM (deployed from Synchronizer) 40 GB system disk (x2.0) 10 GB user disk (x1.5) 20 GB local disk 115 GB Windows 2008 Server VM (local) 50 GB system disk No user or local disk 50 GB Subtotal 233 GB Total (add 7%) 249 GB For this configuration, a 250 GB disk (or larger) is recommended. This is a conservative figure designed to minimize the risk of disk over-subscription.
Encrypted Boot Sequence
Before Computer Startup Computer Status Engine installed, encryption configured, but computer powered off. Encrypted volumes remain locked when the computer is powered off, or if the disk is removed from the computer. Networking Status No networking (computer is powered off). Root Volume Boot Volume Repository Boot Volume Status Unlocked. The boot volume is always unlocked. There is no requirement to lock this volume. Root Volume Status Locked. The root volume is locked with the user password. Repository Volume Status Locked. The repository volume is locked with a key stored in the root volume, which is locked with the user password.
Encryption Unlock Screen Password: Computer Status After power-on, computer boots up just enough so the Engine can accept a password from the user. Networking Status Disabled. Engine does not start networking until the computer is fully booted. Root Volume Boot Volume Repository Boot Volume Status Unlocked. Root Volume Status Locked. The root volume cannot be unlocked until the user provides the password. Repository Volume Status Locked.
User Enters Unlock Password mypassword Computer Status User enters the password. Engine uses the password to unlock the root volume. Networking Status Still disabled. Checking the password with Synchronizer or Active Directory is not necessary or possible. If the password can be used to unlock the root volume then it must be correct. Boot Volume Repository Root Volume Boot Volume Status Unlocked. Root Volume Status Unlocked. Encryption is unlocked with the password provided by the user. Repository Volume Status Locked. This volume is not locked with the user’s password. It gets unlocked in the next boot phase.
Repository Volume Unlock Computer Status After unlocking the root volume, Engine reads a key from the root partition and uses the key to unlock the repository volume. The repository volume is not encrypted with the user password. Networking Status Still disabled. Networking is not enabled until Engine is fully booted. Boot Volume Root Volume Repository Boot Volume Status Unlocked. Root Volume Status Unlocked. Engine reads the repository key from the unlocked volume. Repository Volume Status Unlocked. Engine uses the repository key to unlock the repository volume.
Boot Process Complete Computer Status Fully booted. User might start VMs or access the Engine control panel. Engine can communicate with and be managed by the Synchronizer. Networking Status Enabled. Networking becomes available when the Engine boot process is complete. Boot Volume Root Volume Repository Boot Volume Status Unlocked. Root Volume Status Repository Volume Status Unlocked. This volume contains VHD files for VMs which can now be started.
Encryption Setup and Passwords
Encryption Setup The following message is displayed when Engine sets up disk encryption. The encryption setup process should not be interrupted! Initial Encryption Setup Encryption is not initially setup when the Engine is installed. A password is required to setup encryption. Encryption setup is delayed: Until the computer is registered to Synchronizer. Or when a local password is set for unregistered computers. Subsequent Encryption Setup Encryption setup also happens when the user’s Active Directory password changes. This is to keep disk encryption in sync with Active Directory passwords.
Password Validation After Encryption Unlock Synchronizer password Engine AD Engine sends the encrypted password to Synchronizer for validation. For local users, Synchronizer can validate the password directly. For domain users, Synchronizer validates the password with Active Directory. Engine unlocks encryption and completes the boot process. Password is encrypted and cached in memory. User provides password to Engine. The Engine never communicates directly with Active Directory. Any operations that require Active Directory go through the Synchronizer.
Resetting Encryption Passwords If the encryption unlock password validation fails, the following process is used to synchronize the password between Engine and Synchronizer or Active Directory. New password is validated, password cache is updated, and encryption is setup with the new password. The user is prompted to enter a new password. Active Directory password validation fails. AD password INVALID Or validation of a local password fails at the Synchronizer. Synchronizer Engine clears the password cache. Engine At the end of this process, the AD password, the Engine password cache, and the encryption unlock password are all synchronized.
User Prompt To Change Encryption Password If the password validation process fails because of an invalid password: Engine will lock the computer screen. A message is displayed indicating the password has changed. User must enter credentials which are validated with Synchronizer. After validation, the new password is used to setup encryption. When the computer reboots, use the new password to unlock encryption.
Unlock Password vs. Active Directory Password Password for Encryption Unlock The password used to unlock encryption must be the same password that was last used to setup encryption. No other password will work. But an unlock code is available at the Synchronizer if the password is lost or forgotten. Encryption Password vs. Active Directory Password Usually the encryption unlock password will be the same as the Active Directory password for the registered user. But they can get out of sync. This usually happens when the Active Directory password changes while the Engine is offline. Current Password vs. Previous Password If the encryption unlock password gets out of sync with the Active Directory password, it might be necessary to provide the previous password to unlock encryption. If the previous password is lost or forgotten, use the unlock code from the Synchronizer.
Encryption and Networking Networking Status During Encrypted Boot During encrypted boot, networking is not available until after encryption is unlocked. Engine network configuration data is stored in the encrypted volumes, so it cannot be accessed until after the volumes are unlocked. Networking Status at Encryption Unlock Screen When the computer has booted to the encryption unlock screen, there is no networking available. The password provided by the user cannot be validated with Synchronizer or Active Directory until later in the boot process, after the encrypted volumes are unlocked. Password Validation for Encryption Unlock It is not necessary for the Engine to validate the unlock password with Synchronizer or Active Directory. If the password can be used to unlock the encrypted volumes, then it must be correct. Remote Access to Encrypted Computers If you are managing an encrypted computer with the VNC remote helpdesk feature, be careful about rebooting the computer. When the computer reboots, it will pause at the encryption unlock screen until the password is entered. There is no networking available at this stage so the VNC remote helpdesk feature cannot be used to connect to the computer and unlock encryption.
Synchronizer Unlock Code The Synchronizer stores an alternate key for each encrypted computer that can be used to unlock encryption on the computer if the user forgets the password, or if an administrator is required to unlock a computer and the user is not available. To request the unlock code from Synchronizer, select the computer in the navigation panel then click the “Unlock Code” action button. Only administrators with the “Super User” role should have access to this feature.
Encryption Lockout User has 4 attempts to unlock encryption. After the 4th unsuccessful unlock attempt: The computer will pause for 30 seconds. Then the computer will reboot. The unlock count is reset after reboot. The user is never permanently locked out.
Computer Storage Report
Computer Storage Report A summary of disk space and disk usage for a computer is available in the Synchronizer console. Select the computer in the navigation panel then click the “Storage” tab.
Computer Storage Report Results A sample computer storage report is shown below. This report only reflects VMs deployed from Synchronizer. Local VMs are not included in the report.
Total Space Equal to the size of the volume group containing the Engine logical volumes. Nearly equal to the size of the disk partition containing the Engine installation. Nearly equal to the entire disk size for installations using the entire disk.
Engine Space Amount of disk space currently being used (or reserved for future use) by the Engine. Including the Dock, but not including any other VMs. Usually around 10 GB. Could be larger if the Dock is used in a way that causes its VHD files to grow. For example, downloading files in the Chrome browser, or writing data to the Dock file share.
Virtual Machines Space About equal to “Total Space” minus “Engine Space”. Represents the total space available within the repository volume for VMs. Not including the Dock VHD files (they are part of Engine Space). Calculated as follows: Start with the total capacity of the repository volume, Then subtract about 1.5 GB reserved for use by the Engine, Then subtract the size of the Dock VHD files.
VM Space Used VM Space Used Actual amount of disk space currently being used by the disk within the repository volume. For disks with multiple VHD files, this is the total size of all VHD files for the disk. Percent of VM Space Used This is “VM Space Used” expressed as a percentage of “Virtual Machine Space”. These Numbers Might Be Larger Than Expected! Might be much larger than what the VM reports as space used within the virtual disk. Could even be larger than the logical size of the virtual disk. If this happens to a system disk: Synchronizer might have many versions of a VM image outstanding. Check to see if VM image versions can be rolled up. If this happens to a user disk: Engine might have pending backups that cannot be uploaded. Check for a network or storage issue that might be preventing backups.
Additional VM Space Required for Growth VHD files start out very small and grow as data is written into them. This column reflects the additional space that would be used if the VHD files were to grow to maximum size. These numbers are used to determine if the hard disk is over-subscribed or under-subscribed.
Summary Results Current amount of free disk space available for new VMs or VM growth. Total current size of all VHD files for all VMs. Total extra space that would be used if all VHD files grew to maximum size. Indication of whether the disk is over-subscribed or under-subscribed. Keep the disk under-subscribed to avoid running out of disk space because of VHD growth.
Example of VHD Growth With 30 GB Local Disk Initial VM Installation Local Disk Fills Up After Local Disk Cleanup The local disk in the Windows VM is almost completely empty. The user has written data to the local disk, causing it to fill up. After disk cleanup, Windows reports significant free space available. The VHD file has expanded to contain the data written to the local disk by the Windows VM. The VHD file is still large. VHD files start small, and grow as required to a maximum size, but never get smaller. The VHD file for the local disk begins much smaller than the 30 GB logical size. VHD files start small and grow as required. Disk space reporting in the VM is not a reliable indicator of how much disk space is actually being used for the VM within the Engine.