Q. What is a Local Guardian with Shielded VMs?
A. When you boil down a Shielded VM to its absolute most basic security foundation it is the ability to decrypt the content of the virtual TPM (vTPM) that is stored in the VMs resource state file (VMRS). This information is encrypted with a transport key and this encrypted transport key is stored and encrypted once with any applicable guardians public key and stored in the key protector. You can think of the key protect as having multiple rows with each row containing the transport key encrypted by a different guardians public key. By encrypting with the public key only the private key could decrypt it. Typically when using Shielded VMs the environment has a Host Guardian Service (HGS) which is selected to encrypt the transport key and make up one of the rows in the key protector. Additionally when creating the key protector you specify an owner which actually creates a local guardian which is a set of public and private keys. The private key is stored in your machines local certificate store. If needed that local guardian can be used to decrypt that particular row in the key protector to access the transport key to decrypt the vTPM information and enable the VM to start by allowing the BitLocker protected disk to be read. The Local Guardian is really just a certificate pair.
For example I have a HGS in my environment. I download its metadata (which is really its certificates) and define it as a guardian on my machine.
Invoke-WebRequest 'http://hgs.savtechhgs.net/KeyProtection/service/metadata/2014-07/metadata.xml' -OutFile .\SavTechGuardian.xml Import-HgsGuardian -Path 'SavTechGuardian.xml' -Name 'SavTech' -AllowUntrustedRoot $Guardian = Get-HgsGuardian -Name 'SavTech'
I now create a new local guardian which I'll use for all the VMs I shield.
$Owner = New-HgsGuardian –Name 'JSavillVMs' -GenerateCertificates #this is a local guardian which is certificate that can be used to crack open locally if required
I can view this certificate:
ls 'Cert:\LocalMachine\Shielded VM Local Certificates'
Now I create a new key protector using my local guardian ($Owner) and the HGS ($Guardian). I would then use this key protector to shield a VM. While I only specify one Guardian in this example I could select multiple guardians that will make up the key protector each protecting the transport key. That would enable the vTPM to be decrypted by multiple HGS environments, for example if I wanted my VM to be able to run in my private cloud and in a public cloud so I would want the transport key encrypted by multiple HGS public keys.
$KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian -AllowUntrustedRoot
In this basic example my key protector would like the following. Note there is a single transport key (TK1) that is encrypted once for each guardian which means any of the guardians private keys could decrypt that particular row.
|Guardian||Encryption Cert||Signing Cert||Transport Key|
|JSavillVMs||JSavillVMsEncCert (public)||JSavillVMsSignCert (public)||TK1 encrypted with JSavillVMsEncCert|
|SavTech||SavTechEncCert (public)||SavTechSignCert (public)||TK1 encrypted with SavTechEncCert|