Security has always been a core concern for the VMware Cloud on AWS service. Since its initial availability, every vSphere host deployed has implemented encryption at rest. Initially, this was fulfilled using self-encrypting NVMe devices. Unfortunately for some customers, this wasn’t enough. For a variety of valid reasons some customers are required to not only encrypt their data at rest but are also compelled to periodically change the encryption keys.
vSAN Data Encryption
Fortunately, vSAN supports robust and proven data at rest encryption capability. That, however, is only half of the equation. To encrypt data vSAN requires a Key Management Server (KMS). On-premises vSAN supports any KMIP compliant KMS. Initially, we looked into allowing customers to specify a KMS server just as they do on-premises, but that would, in turn, make an SDDC dependent on an external resource outside of VMware’s control. VMware would not be able to guarantee availability because any loss in KMS availability could result in a loss of data accessibility.
Enter the AWS Marketplace
While researching potential solutions the team looked to see if we could solve this challenge using our existing portfolio of KMS providers. Evaluating what it would look like, and ultimately finding it unsupportable at this time. It was just far too likely a customer would lock both themselves and VMware operations from accessing the data stored inside an SDDC. Alas, hope was not lost. While researching KMIP compliant KMS solutions, the team encountered Amazon’s native AWS Key Management Service.
The AWS KMS Service is unique in that it has been designed with Amazons availability model in mind. The service is in every Region. Furthermore, it is highly available within every Region. As long as single Availability Zone survives within a Region, the KMS is alive and able to return decryption keys. All of this coalesced into a solution that was not only pennies on the dollar compared to a private KMIP, but more importantly is part of AWS itself removing the external dependencies.
Compliance ready Data-at-Rest Encryption
The outcome of this work is a solution that significantly enhances the customer’s control and security at minimal cost. As a result, this capability will be included in the service as a standard feature. Every new SDDC will be automatically configured with vSAN Data Encryption. Existing SDDC’s will be upgraded in place in a rolling fashion. This change removes all of the complexity traditionally associated with running Data at Rest encryption while still exposing the critical key management task to the Cloud Admin role. If you’ve been on the fence perhaps now is the time to jump in and check out VMware Cloud on AWS and the ever-expanding portfolio of services and capabilities.