I'll have to deploy virtual machines on demo laptops, which will use Vmware player, but I've got some security concerns, as some data stored in the virtual machines are a bit sensitive.
Is there a way to prevent the copy of these virtual machines ? Are the virtual hard drives encrypted, and if not is there a way to encrypt them ? In short, is there a way to lock down everything so that nobody could copy and or use these VMs in another computer ?
EDIT :
Truecrypt to encrypt the VM could be a solution, but if the password used by truecrypt is leaked, then it becomes useless. Associating the VM with a computer so that it can only run on a specifica hardware should do the trick, but I haven't found a solution that allows me to do that...
I'm not aware of a VMWare-specific solution to your question, the virtual disks themselves aren't encrypted but obviously there are guest-specific systems that will prevent unauthorised access but if you copy the disk it'll still have the same contents. I guess if you're using Player/WS/Server you could place the virtual disks inside something like bitlocker and apply copy-rights access priviledges but that would depend on your host OS type.
You want vmware ACE.
It is like vmware player but the images are encrypted by vmware itself. You can do things like set expiration times and passwords and remotely disable / delete virtual machines.
Now, how this all would hold up against a concerted attack against one of your virtual machines? Probably not well, but it would be better than distributing normal virtual machines with no protection.
Three suggestions and a comment ..
S1- Reconfigure the demo to minimize (or eliminate) the secure data available. THIS IS THE BEST APPROACH.
S2- Avoid the issue by giving the demo laptops mobile broadband so that they can connect without plugging in at the clients. At that point, there are a ton of very secure methods to connect (VPN, Terminal Server, GotoMyPC, and so on). It is likely more cost effective than building secure, inconvenient laptops that you have to manage and deal with frequently.
S3 - If neither of these works for your organization, you could use TrueCrypt with a YubiKey, inside a VM or not. Then if the password is leaked, the data is still secure.
Comment: Once you give someone access to your data, it is as good as gone. They can take screen captures, print, take pictures with their cell phone, take notes, memorize key items, etc. In my experience, there is a quickly diminishing return on the ever more onerous and inconvenient methods to crank down on possible leaks at the client. The cost goes up, the effectiveness goes down, and the inconvenience gets out of hand. IMHO the best approach is to plug the reasonably common leaks at the core, restrict access until trust is established, and accept the permanent risk that people you trust may not be trustworthy.
I know of no way to secure the images in a way that goes beyond what is already built into Windows (assuming that's what's in the VM's you're using).
My question for you involves deployment; if these are demo laptops, what are you putting on them that is sensitive? I mean, what scenarios are you specifically trying to protect against? If you weren't using VM's, they could still have data stolen. You would have to use Windows (or Linux) encryption on the filesystem to keep thieves from gaining access to data, and that is again something you can enable within the guest OS.
If you're using some demo software that is using sensitive data, you might want to reconsider doing that. With laptops, you have only as much protection as you trust your users, as all the encryption and measures in the world won't keep an authorized user from screwing you or your company over. On the other hand being overly restrictive or adopting cumbersome practices will generate a lot of ill will towards your company and your department from your users.
Also be aware that adding an encryption layer can add overhead to the notebook; you'll be running a virtualized system (which is some percent slower) to an encryption layer (which adds overhead and thus makes it slightly slower), so that can impede performance. Something you'll want to test.
From what you described, I'd probably use your guest OS's built-in security to encrypt things as necessary to protect the data you're worried about, or use an encrypted volume on the drive or USB drive (something like Truecrypt) or use such a tool to encrypt within the guest to secure information. Best bet is built-in tools like Windows encryption on NTFS, otherwise Truecrypt. And any other security you can use on the laptops (like BIOS settings changes appropriately).