As computing devices have become more powerful and more capable, the execution of one or more virtual environments on a computing device has become more practical. Each virtual environment comprises a hardware abstraction of a computing device such that computer-executable instructions executing within the virtual environment cannot tell that they are not being executed directly on the hardware abstracted. From the perspective of the physical computing device, however, the virtual environment is nothing more than a series of executing computer-executable instructions, much like any other process or application, and one or more data files. Thus, while computer-executable instructions executing within the virtual environment may perceive the existence of a hard drive or other computer-readable storage device, from the perspective of the physical computing device such a hard drive is nothing more than a data file that can be dealt with in the same manner as any other data files stored on storage media communicationally coupled with such a physical computing device.
Because a single file stored on storage media communicationally coupled to a physical computing device can represent an entire volume, or even an entire storage device, within the context of a virtual computing environment, the copying of such a file to another computing device can enable that other computing device to gain access to potentially sensitive or confidential information that may have been utilized by, or stored by, computer-executable instructions executing within the virtual computing environment. In particular, because the computer-executable instructions executing within the virtual computing environment cannot detect differences in the underlying computing hardware, the computer-executable instructions executing within the virtual computing environment cannot protect themselves if the file that represents the entire volume or storage device within the context of the virtual computing environment is copied from one physical computing device to another, potentially malicious, computing device.
To protect the data utilized by and generated by a virtual computing environment, various protection methodologies can be applied, from outside of the virtual computing, to the file that represents the volume or storage device within the virtual computing environment. For example, computer executable instructions executing directly on the physical computing device can encrypt the file that represents the volume or storage device within the virtual computing environment. Alternatively, access control methodologies can be utilized to restrict access to the file that represents the volume or storage device within the virtual computing environment. However, access control methodologies can be bypassed if the file that represents the volume or storage device within the virtual computing environment is copied to another computing device on which an otherwise unauthorized user has administrative rights. And while encrypting the file that represents the volume or storage device within the virtual computing environment may not be as easily bypassed, it can also introduce substantial difficulties when the virtual computing environment is hosted by a server computing device. In particular, encrypting the file that represents the volume or storage device within the virtual computing environment can require that a user enter a password, or other decryption information, each time such a file needs to be decrypted, such as each time the server hosting the virtual computing environment is rebooted. Given that modern server farms can comprise many thousands of servers, such a user-intensive requirement is impractical.