SPBM Host-based Rules: VM Encryption
Continuing the SPBM series, in this episode, we are going to focus on the host-based rule: VM Encryption.
With the release of vSphere 6.5, you can utilize virtual machine encryption protecting your VM, disks, and files. Because VM Encryption uses SPBM polices, you may now encrypt individual VMs or disks as needed. This allows the flexibility of granular encryption without the need to encrypt an entire datastore. To further ensure security there are specific encryption privileges, Cryptographic Operations, and only administrators granted this privilege may perform encryptions and decryption tasks. This allows non-privileged VIadmins to continue performing day to day tasks.
What exactly is encrypted? VM Encryption supports virtual machine files, virtual disk files, and core dump files. This includes NVRAM, VSWP, and VMSN files as well as the VM’s VMDKs. Data in an encrypted virtual disk (VMDK) file is never written in cleartext to storage or physical disk and is never transmitted over the network in cleartext.
All encryption keys are managed via an external Key Management Server or KMS. There are several KMS vendors available, to find a compatible vendor, please use the VMware compatibility guide here.
vSphere Virtual Encryption Architecture
To enable VM encryption, you must setup an external KMS. The KMS, along with vCenter and the ESXi hosts, manage the encryption solution. A trust between a KMS and vCenter server must be completed to be able to utilize SPBM VM encryption. As there are several KMS vendors we won’t go into detail on setting up the KMS itself.
Once the KMS is setup, you may now create a Storage Policy for VM Encryption. When creating the new SPBM policy, you will “Enable host based rules”. Now you select the radio button “Use storage policy component“ and from the dropdown select “Default encryption properties, in most cases, you will choose this option. The custom option allows you to enable I/O filters before encryption. If this option is chosen, those filters can see cleartext data before encryption. The rest is a review of the policy and setting.
Host Encryption Mode
Before you can use the new policy, you must enable “Host Encryption Mode” on all of the hosts in the cluster. This setting is under the Configure tab in the Security Profile. There you can edit the Host Encryption Mode and enable the host to accept keys from the KMS server. If you want to disable Encryption Mode, you must remove the host from vCenter, reboot and then add it back to vCenter.
Below is a short video showing the process for setting up and enabling VM Encryption. The steps in the video are only possible after you have successfully added and enabled a KMS server to your vCenter.
- Create a VM Storage Policy for Host-Based Data Services
- Securing Virtual Machines
- Virtual Machine Encryption
- How vSphere Virtual Machine Encryption Protects Your Environment
- Use Encryption in Your vSphere Environment
- Set up the Key Management Server Cluster
- Best Practices Involving Multiple vSphere Components
- Defined Privileges
- Encryption Best Practices, Caveats, and Interoperability
- Storage Policy Based Management
- Populating the VM Storage Policies Interface
- Assign Tags to Datastores
- Storage DRS Integration with Storage Profiles
STAY TUNED FOR THE SPBM BLOG SERIES
- Using Tag-based SPBM Policies to Manage Your Storage
- Storage Capabilities and Services
- Data Services SPBM Policies
RELATED SPBM POSTS
- How is SPBM different to Tag-Based Placement?
- SPBM, because not all applications are created equal
- vSAN Operations: Use separate SPBM policies for VMs in stretched clusters