Securing virtual machine data

What is claimed is: 1. A method comprising: representing both virtual primary disk data and state data of a virtual machine in a unit of storage, wherein the virtual primary disk data comprises a virtual disk that is accessed by the virtual machine and the state data comprises execution state data of the virtual machine; exposing the virtual primary disk data of the virtual machine to a guest of the virtual machine to allow the guest to access the virtual primary disk data; intercepting a read access from the guest; and preventing the read access when the read access is for accessing the state data of the virtual machine. 2. The method of claim 1 , wherein the preventing comprises: partitioning the storage unit into at least a first partition for the virtual primary disk data and a second partition for at least the state data; storing a partition table for the first partition into the second partition; aligning the beginning of the virtual primary disk data with the beginning of the storage unit. 3. The method of claim 1 , wherein the preventing comprises: partitioning the storage unit into at least a first partition for the virtual primary disk data and a second partition for at least the state data; writing a first partition table for the first and second partitions; writing a second partition table for the first partition; and exposing the second partition table to the guest and preventing the guest access to the first partition table. 4. The method of claim 3 , wherein the preventing access to the first partition table comprises modifying access requests from the guest with an offset that corresponds to location of the first partition table. 5. The method of claim 4 further comprising verifying that modified access requests fall within acceptable boundaries. 6. The method of claim 1 , wherein the preventing comprises truncating size of the storage unit reported to the guest to hide the state data from the guest and storing the state data in a portion of the storage unit beyond the reported size. 7. The method of claim 1 further comprising: representing other non-disk data in the storage unit; and preventing the guest from accessing the other non-disk data. 8. The method of claim 1 , wherein the storage comprises at least one of removable storage, optical storage, disk drive, flash memory, network attached storage, and a storage in a storage area network. 9. A non-transitory computer-readable storage medium storing a virtualization system program, which, when executed by a processor, prepares a unit of storage to encode virtual primary disk data of a virtual machine accessible by a guest of the virtual machine, and to encode state data of the virtual machine, wherein the virtual primary disk data comprises a virtual disk that is accessed by the virtual machine and the state data comprises execution state data of the virtual machine, and wherein the virtualization system program is configured to intercept a read access from the guest and prevent the read access when the read access is for accessing the state data of the virtual machine. 10. The non-transitory computer-readable storage medium of claim 9 , wherein the preparing comprises: the virtualization system program partitioning the storage unit into at least a first partition for the virtual primary disk and a second partition for the state data, and writing a first partition table for the first and second partitions, and writing a second partition table for the first partition; the virtualization system program communicating the partition tables and the partitions to a virtualization layer; and the virtualization system program indicating an offset to a virtualization layer, wherein the offset corresponds to location of the second partition table, wherein the virtualization layer interfaces between the virtual machine and a system hosting the virtual machine. 11. The non-transitory computer-readable storage medium of claim 9 , wherein the preparing comprises: the virtualization system program partitioning the storage unit into at least a first partition for the virtual primary disk and a second partition for the state data, and writing a first partition table for the first and second partitions, and writing a second partition table for the first partition; and the virtualization system program communicating the partition tables and the partitions to a virtualization layer, wherein access to the first partition table requires a sufficient privilege level, wherein the virtualization system program and the virtualization layer are at least assigned the sufficient privilege level, wherein the virtualization layer interfaces between the virtual machine and a system hosting the virtual machine. 12. The non-transitory computer-readable storage medium of claim 9 , wherein the preparing comprises: the virtualization system program partitioning the storage unit into at least a first partition for the virtual primary disk and a second partition for the state data, and writing a first partition table for the first and second partitions, and writing a second partition table for the first partition; the virtualization system program storing a partition table for the first partition into the second partition and aligning the beginning of the virtual primary disk with the beginning of the storage unit. 13. The non-transitory computer-readable storage medium of claim 9 , wherein the preparing comprises: the virtualization system program partitioning the storage unit into at least a first partition for the virtual primary disk and a second partition for the state data, and writing a first partition table for the first and second partitions, and writing a second partition table for the first partition; and the virtualization system program encrypting the first partition table; and the virtualization system program communicating information to a virtualization layer to allow the virtualization layer to decrypt the first partition table, wherein the virtualization layer interfaces between the virtual machine and a system hosting the virtual machine. 14. The non-transitory computer-readable storage medium of claim 9 , wherein the storage unit is prepared to prevent access by a guest to other non-disk data in addition to the state data. 15. The non-transitory computer-readable storage medium of claim 9 , wherein the virtual machine is represented by the state data, the virtual primary disk, and virtual hardware configuration data that indicates at least a virtual processing unit. 16. The non-transitory computer-readable storage medium of claim 9 , wherein the storage comprises one of a disk drive, removable storage, flash memory, optical storage, network attached storage, and storage in a storage area network. 17. A non-transitory computer-readable storage medium storing a program that implements a virtualization layer that interfaces between a computational system and a virtual machine hosted on the computational system and that examines all access requests from a guest of the virtual machine and, in response to said all access requests, to allow the guest to access virtual primary disk data of the virtual machine and to intercept read accesses from the guest and prevent the read accesses when the read accesses are for accessing the state data of the virtual machine, wherein the virtual primary disk data comprises a virtual disk that is accessed by the virtual machine and the state data comprises execution state data of the virtual machine. 18. The non-transitory computer-readable stora