Citrix's announces "XenVault" a secure corporate storage location on insecure non-corporate laptops

Back at Citrix Synergy 2010 this past May, Citrix announced a client plug-in for encrypted data. (Remember that Citrix's client components are modular, so Citrix and third parties can write plug-in components to extend the capabilities of the client.)

Back at Citrix Synergy 2010 this past May, Citrix announced a client plug-in for encrypted data. (Remember that Citrix's client components are modular, so Citrix and third parties can write plug-in components to extend the capabilities of the client.) The purpose of the encrypted data plug-in is to provide a space to store files or virtual applications locally on a client device that are protected via a centrally-managed encryption scheme.

Yesterday Citrix announced that the encrypted data plug-in will be branded as "XenVault" and available in late September.

What I really like about the encrypted data plug-in that was previewed is that (1) it can encrypt just certain areas the Citrix client has access to—regardless of whether the device is corporate controlled or a user's personal laptop, and (2) admins deploying software and managing data can set policies based on this encryption. (e.g. maybe a user could only stream a corporate app to run locally on their client if the Citrix client software can verify that it's encrypted.)

I would imagine in the future this will be tied into Intel vPro-based clients with TxT to absolutely verify the device and the encryption. (And again, I assume that would be policy-based, so you could maybe configure all client-side components to be encrypted, but maybe some sensitive apps would only be available on the client if the client device also had vPro with TxT.)

Those of you who saw my opening keynote at BriForum 2010 remember that I told a story about my first days at TechTarget. When I learned that the only corporate-supported file sharing option for Gabe and me was a network share (which required client-scanning VPN access and Internet connectivity to use), I quickly said "Screw that!" and setup a DropBox account. Now Gabe and I use DropBox for everything. The problem is that DropBox just puts regular files on each of our laptops, so if we lose a laptop then someone could mount the drive in another system and have full 100% access to everything we share.

We address this by using disk encryption, but the only reason Gabe and I encrypt anything is because we're smart enough to know the risks and to know how to configure the encryption. But what about normal users in some other company who want to use their non-corporate-controlled (BYOPC or whatever) laptops? Will they have the wherewithal to take the initiative to encrypt their own laptops? Of course not!

This is where Citrix XenVault comes in. Citrix's Joe Nord wrote a great technical blog post explaining the under-the-hood workings of XenVault, while their desktop CTO Harry Labana wrote a bit more about what this means for stodgy IT departments.

More on XenVault (from the press release):

  • Protects and Isolates User Data – The new XenVault technology automatically and transparently saves any user data created by corporate apps into an encrypted folder, ensuring that it is protected at all times from unauthorized users.
  • Ideal for Contractors and BYOC – Because XenVault supports both virtual and physical desktops, it is an ideal solution for contractors and employee-owned laptops where users don’t want IT installing software on their personal laptops. When a contract is over, an employee terminates, or the laptop is lost or stolen, corporate data remains secure, and can even be wiped remotely.
  • Supports XenApp and App-V – XenVault automatically encrypts data created by any corporate app that is delivered by Citrix XenApp™ (or the XenApp feature of XenDesktop) or Microsoft App-V.

To me this seems pretty huge and a key component of a complete application delivery solution.

XenVault will be a released a free plug-in for the Citrix receiver, available as part of Feature Pack 2 for XenDesktop 4 which is expected to ship in late September. It will be available for all editions of XenDesktop. It will also work with XenApp, although I don't know whether there will be a new Feature Pack for that as well or whether it will just be a free update. Citrix plans to demo XenVault at VMworld next week.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

XenVault (lightweight, portable, encrypted container) sounds a lot like an encrypted virtual workspace except it's limited to only data that XenApp touches.

Wouldn't it be great if you could put all your user installed applications inside of that  secure, portable container as well without the overhead of virtualizing/publishing individual applications?  

I believe that's one of the things workspace virtualization is supposed to accomplish.

I suppose if customers do not need portable applications and/or made a heavy investment in app virtualization, then the combination of XenApp/APP-V + XenVault is pretty useful.

However, seems to me that using the right type of workspace virtualization solution (apps+data+settings) is a "superset" of using virtual apps, virtual data vaults, and virtual user profiles.  3 different packaging efforts vs. doing just 1 effort - far more simple for both users and IT. Regardless, I'm sure customers will tell us which is better for them.

Well done, Citrix - keep innovating.



@dougdooley You are missing the point here. When I look at your solution you are all about presenting the desktop shell to the user, just like Moka 5 and the rest of the Type 2 solutions. Sure there may be modes to present just the app, but at run time you load everything to be able to present a full desktop. That has over head. What will be helpful is how you think today your initial launch time experience compares with Moka 5, the upcoming PoS from VMware ACE rebranded, Med-Evil from MS etc.

In your case with all the stuff your are loading there is still the very real concern how you can react as fast as MS with zero day vulnerabilities. I would love to hear about your latest thinking there and why you think this is more secure.

So i think what you have is actually a different use case. XenVault to me is focused on lightweight access to data and a few apps, which means the overhead in theory should be a lot lower as they are not trying to present OS services to the app and data. They are simple redirecting i/o to an encrypted disk like and then applying policy.

I am not saying your solution is not relevant, I just think it's for a different use case and I don't see these these solution competing. Things like IronKey and the rest of the secure USB solutions IMO have more to worry about from an enterprise point of view. I also see XV as a potential way to remove full disk encryption from my current corporate owned laptops.

Of course I haven't tested it yet, and I am sure there will be many 1.0 bugs, but the concept is a good one IMO.


So to sum it up XenVault is Citrix's response to the whole type 2 hypervisor illusion of success.

XC and XV look like they go hand and hand to resolve different local computing environments.

Both technologies implement a centralized management architecture but XC can go on vPro devices and if the user has XC then the corporate environment can be streamed securely (OS/Apps/Data). However, if your hardware isn't vPro capable or if it just doesn't have XC then given you already have an OS the corporate environment can be streamed securely (Apps/Data).

Could the data ever get synchronized in the future with this implementation?


Great idea to get something centrally and transparently deployed...

Will the XenVault include a "XenSyncrhonization" mechanism to get the "XenEncrypted" data safely backuped in the datacenter transparently ?