One thing to keep in mind is that since the virtual machine is running as a process in the host machine, the host can inspect arbitrary portions of the guest's memory. This means that no matter what encryption system you use, the host can extract the keys as long as the guest can read the files. There is no way to secure a guest OS from the host. The only way around this is to keep the host OS in a trusted state (i.e. don't let unauthorized software run, don't install updates, etc.) and to shut down the guest rather than suspend it every time they're done. When you suspend a guest, VMware writes its memory to the host's hard drive, potentially including any encryption keys for folders. That shouldn't happen if you shut down. It doesn't protect you from an online attack (one carried out when the system is running, not strictly one over the Internet), but it should prevent a thief with physical access from getting at the records.
↧