Multi-Key Total Memory Encryption on Windows 11 22H2


  • Staff
The security and privacy of customer data is a core priority for Azure and Windows. Encrypting data across different layers of device and transport is a universal technique to prevent exploits from accessing plaintext data. In Azure, we have a multitude of offerings to provide different levels of data confidentiality, encryption and isolation across workloads types (Azure Confidential Computing – Protect Data In Use | Microsoft Azure). One of such is VM memory encryption with Intel’s Total Memory Encryption – Multi Key (TME-MK), providing hardware accelerated encryption of DRAM. With the latest Intel 12th Gen Core CPUs (Alder Lake) offering this capability, we are delighted to extend support in Windows 11 22H2 for TME-MK.

End-to-end Encryption​

Encryption has long been an established mechanism to keep data from prying eyes. By encrypting data while it is at rest, in transit, and in use – we can prevent unexpected parties from getting access to sensitive information for the lifetime of data.

Data-at-rest is protected through (a plethora of) disk encryption technologies and data-in-transit is protected through network encryption protocols (SSL/TLS/HTTPS), both used in modern workloads for many years. Data-in-use protection has recently become available through the latest generation hardware in Azure, providing an end-to-end encryption schema. Memory encryption technology innovations are now becoming available in client CPUs.

PC Encryption Landscape​

Windows 10 introduced Bitlocker to encrypt data while it is residing in persistent storage, ensuring that a stolen laptop does not result in exposure of customers’ saved files on disk. Attackers continually get more sophisticated and mount physical attacks to retrieve data from volatile memory mediums (i.e. DRAM). One example is using methods to cryogenically freeze memory which enables data to persist for long periods of time. Another example is setting up interposers which sit between the DRAM chip and the DRAM slot.

It is logical to extend cryptographic protection of data while it is in memory, but it is expensive to do entirely in software. In modern CPUs, hardware-accelerated capabilities (Intel Total Memory Encryption) are used where the memory controller encrypts data before it is committed to the DIMMs, and decrypt data when needs to be computed on. Having memory controller-accelerated encryption also has a nice property where workloads do not need to be specially modified to take advantage of this, and the operating system and hardware can transparently handle these operations.

Memory controller-based encryption prevents attackers who have physical access to DRAM from being able to read in-memory contents in plaintext. TME-MK extends that paradigm by enabling different VMs (partitions) to have unique memory encryption keys.

medium


Total Memory Encryption – Multi Key (TME-MK)​

TME-MK is available in Intel 3rd Generation Xeon server processors and Intel 12th Generation Core client processors. Azure, Azure Stack HCI, and now Windows 11 22H2 operating systems also take advantage of this new generation hardware feature. TME-MK is compatible with Gen 2 VM version 10 and newer. List of Guest OS’s supported in Gen 2

On Azure, customers that use DCsv3 and DCdsv3-series Azure Virtual Machines TME-MK.

TME-MK capabilities are also available starting with Azure Stack HCI 21H2 and Windows 11 22H2 TME-MK.

Go to the Azure Stack HCI catalog and filter “VM memory encryption” to find Azure Stack HCI solutions that support TME-MK.

medium


To boot a new VM with TME-MK protection (assigning it a unique encryption key from other partitions), use the following PowerShell cmdlet:

Set-VMMemory -VMName <name> -MemoryEncryptionPolicy EnabledIfSupported

To verify a running VM is enabled and using TME-MK for memory encryption, you can use the following Powershell cmdlet:

Get-VmMemory -VmName <name> | fl *

The following return value would describe a TME-MK protected VM:

Code:
MemoryEncryptionPolicy  : EnabledIfSupported

MemoryEncryptionEnabled : True

To learn more about syntax and parameters to boot VMs using powershell: New-VM (Hyper-V) | Microsoft Learn

Underneath the hood, the operating system will request the CPU to generate an ephemeral key (for the duration of the VM lifetime). This key will never leave the CPU (and not be visible even to the operating system or hypervisor). The hypervisor will then set the associated bits in the second level page tables (SLAT) describing the physical addresses associated with the VM that should be encrypted with said key by the memory controller when data moves to and from memory.

Conclusion​

The privacy and security of customer data is top of mind for Windows 11. Windows will continue to evolve and adopt modern defense-in depth capabilities to continue protecting our customers. For more information on Intel TME-MK, read Intel’s latest whitepaper: https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/total-memor...

Windows OS Platform (Hyper-V Security) Team
Jin Lin, Alexander Grest, Bruce Sherwin

Source:
 

Attachments

  • Windows_Security.png
    Windows_Security.png
    6 KB · Views: 2

Dru2

Well-known member
Power User
VIP
Local time
7:04 AM
Posts
2,273
Location
Virginia
OS
Windows 11 Pro 22H2 (Build 22621.900)
That's very interesting. Reading the article states only 12th gen Alder Lake processors, so only on newly built/bought PCs. PC's such as my fully Windows 11 compliant i9 system (system specs) wouldn't qualify due to processor limitation :(
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2 (Build 22621.900)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom built
    CPU
    Intel i9-9900K
    Motherboard
    Gigabyte Aorus Z390 Xtreme
    Memory
    32G (4x8) DDR4 Corsair RGB Dominator Platinum (3600Mhz)
    Graphics Card(s)
    Radeon VII
    Sound Card
    Onboard (ESS Sabre HiFi using Realtek drivers)
    Monitor(s) Displays
    NEC PA242w (24 inch)
    Screen Resolution
    1920 x 1200
    Hard Drives
    5 Samsung SSD drives: 2X 970 NVME (512 & 1TB), 3X EVO SATA (2X 2TB, 1X 1TB)
    PSU
    EVGA Super Nova I000 P2 (1000 watt)
    Case
    Cooler Master H500M
    Cooling
    Corsair H115i RGB Platinum
    Keyboard
    Logitech Craft
    Mouse
    Logitech MX Master 3
    Internet Speed
    500mb Download. 11mb Upload
    Browser
    Microsoft Edge Chromium
    Antivirus
    Windows Security
    Other Info
    System used for gaming, photography, audiophile media center, work.
  • Operating System
    Win 10 Pro 22H2 (build 19045.2130)
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkPad Yoga X1
    CPU
    Intel i7-7600U
    Motherboard
    Intel
    Memory
    16igg
    Graphics card(s)
    Intel HD 620
    Sound Card
    Onboard
    Monitor(s) Displays
    14.0 WQHD OLED Touch
    Screen Resolution
    2560 x 1440
    Hard Drives
    1TB NVMe Drive (OEM)
    PSU
    laptop
    Case
    laptop
    Cooling
    Laptop cooling
    Mouse
    Logitech MX Anywhere 2S
    Keyboard
    Laptop
    Internet Speed
    100MB
    Browser
    Edge Chromium
    Antivirus
    Windows Security

Latest Support Threads

Top Bottom