Lack of FDE in Hypervisors -- problem?

As far as I can tell, ESXI and Proxmox do not support full-disk encryption of the hypervisor host. I keep reading that this isn’t an issue, but I don’t understand why, from the physical threat perspective. Let’s say I’m running ESXI. If someone were to take my ESXI boot drive, they could just replace a line in the shadow file to get root access. They could install malware, for example. The only thing that would prevent this would be perfect physical security or full disk encryption. Are there any hypervisors out there which support this? I’m aware that I could run my own linux + virtmanager.

Laptops and phones are more stealable than desktops and servers - or at least that’s a common industry assumption. Generally people do assume some level of physical security for non portable devices.

Personally, I keep my SSD LUKS encrypted but keep the key on a USB stick on my router. If/when my SSD in the router dies there’s only bootloader and kernel unencrypted,… otherwise some TLS certs and keys for VPN-ing would be compromised by e.g. fixing the SSD somehow… and encryption helps me not have to think about that too much.

All my other machines disks need to be unlocked over
SSH, or physically with a keyboard+screen… but also have bootloader and kernel unencrypted.

Most remote file storage, incl backups is encrypted at the source ( exceptions being Google drive docs and sheets and various PDFs and gmail).

In theory, secure boot via TPM would solve the bootloader and kernel stuff being injected offline… but I never got as far as actually configuring it for my router and file servers at home :frowning:


I don’t see the appeal of ESXi in a home setting, unless you also use it at work and want to cut down on how much stuff you need to learn.

For most businesses it’s easier to just invest in physical security. Also with secure boot and chassis intrusion it’s quite hard for someone to do unauthorised changes in software. If encryption is used, it’s probably in a SAN, performed inside the VMs themselves, or done on a dedicated hardware device.

If you want FDE the closest you’ll probably get is an encrypted ZFS dataset on Proxmox. You could also encrypt the root drive, since Proxmox is technically a standard Debian install, but there will be a bit of extra work there.

With regards to ESXi, secure boot will prevent anyone booting a modified image.

Personally I’m just running a linux server with dracut-crypt-ssh for remote unlocking. Extra work but it achieves what I want.

1 Like

I’ve been wondering about using Proxmox but installing on top of LUKS on debian and using the standard Debian kernel w/ ZFS packages to allow for secure boot. Do you think that could work?

Yeah, but like why proxmox and not just virsh in that case?

Is it just for the webui?

Yeah mostly for the web ui. I’d like to be able to manage it and interact with VM’s from my laptop. I did try proxmox with vanilla kernel just now — seems like it will be too much of a headache. I am also considering Cockpit but have read that it isn’t ready (yet). Will prob try that and if it goes bad, just run virt manager and a VNC client

Doesn’t “modified image” not cover user space? For example, couldn’t someone theoretically inject malware into something like the web ui? I don’t believe secure boot would protect against that

Most people running esxi are running VMs off a SAN (or other network storage), and that’s where the disk encryption if any belongs.

If not, they’re likely running something like VSAN on top of it (i.e., hypervisor presents a bunch of disks distributed across the cluster which is then RAIDED across to create distributed reliable storage on the cluster), which i’m not sure off the top of my head supports encryption or not.

People running ESXI aren’t normally doing it on individual hosts with single local disk datastores, you lose a massive amount of the features if you aren’t clustering with vSphere. It’s not how it is intended to be run, really.

So in that respect, vmware likely don’t consider it a problem - because its not how it is intended to operate.

Also, if someone has physical unsupervised access to your box - you’re fucked basically. This is why physical access to datacenters is restricted.

Agreed with @risk - esxi at home doesn’t really make sense. Almost all the good things about ESXi come from clustering it with vCenter server/vSphere - if you don’t have that (and its too expensive for home) you’re wasting your time with it mostly.

1 Like

Don’t forget disk disposal.

Throwing server disks out? If they’re encrypted no need to destroy/wipe/secure erase/etc. Which saves a bunch of time.

Technically that’s possible, it’s upto the operating system to sign and police userspace applications. At the very least everything upto the kernel is signed.

If a server has full disk encryption, it’s just as easy to install a bug in the system to record the decryption key. So FDE isn’t a magic bullet. FDE also won’t help you if there is a security issue in the web application that you’re running.

Personally I use encryption for one main reason - if my server is stolen then the thief can’t read my data. If I was running proxmox then ZFS encryption of the VMs would fulfill my use-case. The evil-maid attack is incredibly hard to defend against, so I don’t even try.

1 Like