Marius Burz asked:
We are running a few Solaris / Linux VMs on ESXi that contain very sensitive encrypted data that eventually get decrypted as required in memory.
Everything is fine, except for the ESXi swap files which could potentially store some of the decrypted data, the cherry on top of the cake being that these files won’t get removed in case of a host crash.
Is there any way to disable these files completely?
We already tried reserving the whole allocated RAM to the VMs on a per VM basis, but the files still get created.
What would it take to have ESXi swapping completely disabled for the entire host or only for some VMs?
It should be sufficient to encrypt the virtual machine swapfiles that ESXi creates. Try putting the swapfiles on a datastore that’s encrypted, such as an encrypting SAN or self-encrypting disk.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.