Using physical encrypted disk in a VMWare Server virtual machine?
January 18, 2009 9:11 AM Subscribe
VMWare Server 1.0.8 on Ubuntu Linux 8.10 Host: Is it possible to use an encrypted disk on the host machine as a physical disk for a virtual machine?
I can't find any information on doing this at all, save for this comment in the VMWare feature suggestion board. It was posted last year and leads me to believe this is not possible. The reason I'm still asking this question is because that info is 1 year old and surely somebody might know a workaround (or a better way to do this).
dm-crypt, cryptsetup and luks were used to set up several encrypted partitions on /dev/sda. I want to be able to mount these partitions on a virtual machine. They work just fine on the host machine.
When I try adding the drive (/dev/sda) or the partitions to the VM via the VMWare interface (even as root), I get permission denied errors ("insufficient permission to access file"). This happens if I don't decrypt the drive beforehand, and it happens when I do (and mount the partitions read-only to the host filesystem). Either way I can't use the entire disk or the individual partitions.
I've tried setting /dev/mapper/(entry) as the physical disk for the machine but VMWare won't recognize /dev/mapper entries as a drive.
I also tried upgrading to VMWare Server 2.0 but that product is laughably bad. I don't know if it will do what I need or not since it is too slow and too buggy for me to even install the VM.
The encrypted disk in question is removable and used on multiple machines, the rest of which are not virtual. So creating a virtual disk for the virtual machine and encrypting that would not work.
Any help would be appreciated. Thanks!
I can't find any information on doing this at all, save for this comment in the VMWare feature suggestion board. It was posted last year and leads me to believe this is not possible. The reason I'm still asking this question is because that info is 1 year old and surely somebody might know a workaround (or a better way to do this).
dm-crypt, cryptsetup and luks were used to set up several encrypted partitions on /dev/sda. I want to be able to mount these partitions on a virtual machine. They work just fine on the host machine.
When I try adding the drive (/dev/sda) or the partitions to the VM via the VMWare interface (even as root), I get permission denied errors ("insufficient permission to access file"). This happens if I don't decrypt the drive beforehand, and it happens when I do (and mount the partitions read-only to the host filesystem). Either way I can't use the entire disk or the individual partitions.
I've tried setting /dev/mapper/(entry) as the physical disk for the machine but VMWare won't recognize /dev/mapper entries as a drive.
I also tried upgrading to VMWare Server 2.0 but that product is laughably bad. I don't know if it will do what I need or not since it is too slow and too buggy for me to even install the VM.
The encrypted disk in question is removable and used on multiple machines, the rest of which are not virtual. So creating a virtual disk for the virtual machine and encrypting that would not work.
Any help would be appreciated. Thanks!
Best answer: Unless you can get VMWare to recognize the /dev/mapper entries, I think you're out of luck.
Googling around for vmware and /dev/mapper came up with
http://homepage3.nifty.com/tjh/vmware-bdwrapper/
http://vmgbd.drigon.com/
which appear to be workarounds for VMware being restricted to /dev/hd* and /dev/sd*
If that doesn't work out, I'd suggest exporting the /dev/mapper entry using NFS then mounting the NFS share.
posted by dragoon at 9:41 AM on January 18, 2009
Googling around for vmware and /dev/mapper came up with
http://homepage3.nifty.com/tjh/vmware-bdwrapper/
http://vmgbd.drigon.com/
which appear to be workarounds for VMware being restricted to /dev/hd* and /dev/sd*
If that doesn't work out, I'd suggest exporting the /dev/mapper entry using NFS then mounting the NFS share.
posted by dragoon at 9:41 AM on January 18, 2009
I didn't think that raw disks were a "supported configuration" with VMWare server anyway. I thought the supported configuration was a virtual hard disk file residing in a filesystem on the host. Why not put an linux filesystem on the encrypted partition, and put the virtual machine disk image there?
posted by Good Brain at 12:58 PM on January 18, 2009
posted by Good Brain at 12:58 PM on January 18, 2009
When I try adding the drive (/dev/sda) or the partitions to the VM via the VMWare interface (even as root), I get permission denied errors ("insufficient permission to access file"). This happens if I don't decrypt the drive beforehand, and it happens when I do (and mount the partitions read-only to the host filesystem). Either way I can't use the entire disk or the individual partitions.
That's probably your issue right there. If I recall correctly, the VMWare magic actually happens via a server process that doesn't run as root, regardless of who you run the user interface component as. So you need to find out which user the actual VMWare server process is running as, and add that user to a group to which you've granted the necessary permissions on the /dev/* files you're trying to use.
posted by flabdablet at 3:54 PM on January 18, 2009
That's probably your issue right there. If I recall correctly, the VMWare magic actually happens via a server process that doesn't run as root, regardless of who you run the user interface component as. So you need to find out which user the actual VMWare server process is running as, and add that user to a group to which you've granted the necessary permissions on the /dev/* files you're trying to use.
posted by flabdablet at 3:54 PM on January 18, 2009
Best answer: By the way, I didn't know that VMWare was restricted to /dev/[hs]d*, but even if it is, that's not necessarily a show-stopper. All you should need to do to work around that is to use
Even making a symlink from /dev/hdv1 to the real device file might be enough.
posted by flabdablet at 4:11 PM on January 18, 2009
ls -l to show you the major and minor device numbers associated with the /dev/mapper/* entry you want to use, and use mknod /dev/hdv1 b $major $minor to create an appropriately named /dev entry for the same device.Even making a symlink from /dev/hdv1 to the real device file might be enough.
posted by flabdablet at 4:11 PM on January 18, 2009
So you're trying to access a partition of your real hard disk from your virtual server? This might not be a good idea long-term; vmware removed removed support for "raw disks" from version 2 of vmware server.
posted by PueExMachina at 11:22 PM on January 18, 2009
posted by PueExMachina at 11:22 PM on January 18, 2009
Response by poster: Thanks everyone!
I tried using vmgbd, and then tried something similar to what flabdablet suggested based on information I found on the VMWare forums (through the link to vmgbd dragoon posted).
I installed vmgbd but I can't confirm whether or not that facilitated the solution. Ultimately I did create a symlink to /dev/mapper/stuff called /dev/sdx1. I went into the VMWare wizard, told it to use /dev/sdx1 as an Entire Disk and the guest machine successfully detected the host-encrypted partition as a second disk!
The original item on the VMWare board suggested using a symlink to fool the VMWare wizard into accepting it, then manually editing the corresponding .vmdk file and replacing the entry for the symlink with the actual path to the device. In this case I didn't need to go that far, but the actual posting is here.
posted by Ziggy Zaga at 8:13 PM on January 20, 2009
I tried using vmgbd, and then tried something similar to what flabdablet suggested based on information I found on the VMWare forums (through the link to vmgbd dragoon posted).
I installed vmgbd but I can't confirm whether or not that facilitated the solution. Ultimately I did create a symlink to /dev/mapper/stuff called /dev/sdx1. I went into the VMWare wizard, told it to use /dev/sdx1 as an Entire Disk and the guest machine successfully detected the host-encrypted partition as a second disk!
The original item on the VMWare board suggested using a symlink to fool the VMWare wizard into accepting it, then manually editing the corresponding .vmdk file and replacing the entry for the symlink with the actual path to the device. In this case I didn't need to go that far, but the actual posting is here.
posted by Ziggy Zaga at 8:13 PM on January 20, 2009
« Older Unusual Israeli tank proctection? | I need help figuring out my baby's food allergies Newer »
This thread is closed to new comments.
It might be worth looking into for your situation.
Alternatively; couldn't you encrypt the VM internally? (LVM + Encryption, WIndows + TrueCrypt) and not the physical disk?
posted by SirStan at 9:33 AM on January 18, 2009