New in vSAN 7 Update 1: Data-in-Transit Encryption
Data-at-rest encryption was introduced in vSAN 6.6 making it the industry’s first native HCI security solution. vSphere 6.7 and vSAN 6.7 cryptographic modules achieved FIPS 140-2 validation by the National Institute of Standards and Technology (NIST), which specifies the security requirements for cryptographic modules. vSphere with vSAN is the only HCI solution with multiple generations of DoD-published Security Technical Implementation Guides (STIGs) for rigorous, standards-compliant implementation hardening. Today, vSAN is being used by a wide variety of organizations to protect data and ensure compliance with regulatory requirements.
vSAN 7 Update 1 further improves its security stance by adding data-in-transit encryption. The latest version of vSAN uses the same FIPS 140-2 validated encryption module to secure vSAN data as it traverses the vSAN backend network. Data-in-transit encryption can be used independently or in conjunction with data-at-rest encryption to achieve the desired level of protection.
Both encryption options are enabled at the cluster level. This means all vSAN data (at rest and/or in-flight) in the cluster is encrypted when either or both of these services are enabled.
Figure 1. Enabling data-at-rest and data-in-transit encryption.
vSAN continues to simplify operations with every release. vSAN data-in-transit encryption does not require a key management server (KMS). The keys for data-in-transit encryption are managed internally. The only thing you might need to configure manually is the rekey interval, which is set to “1 day” by default.
Figure 2. Data-in-transit rekey interval.
Note: vSAN data-at-rest encryption still requires a KMS.
vSAN Skyline Health checks if data-in-transit encryption is configured properly for the cluster. This check is performed when data-in-transit encryption is enabled on the cluster. All hosts in the cluster are required to have data-in-transit encryption enabled to properly protect data. vSAN Skyline Health consistently checks the state of data-in-transit encryption. If a discrepancy with the configuration is found, vSAN Skyline Health will raise an alert and provide the option to remediate the inconsistent configuration. A link to the relevant VMware Knowledge Base article is also provided to make it easy for you to get more details when an issue occurs.
Figure 3. Data-in-transit health check.
As with data-at-rest encryption, data-in-transit encryption naturally requires additional CPU cycles to encrypt and decrypt data. AES-NI is utilized resulting in only a slight increase in CPU cycle utilization and virtually no impact on storage performance. Data-in-transit encryption is compatible with other vSAN features such as file services, deduplication, compression, data-at-rest encryption, and more. Data-in-transit encryption can be enabled on both all-flash and hybrid clusters. vSAN standard cluster, stretched cluster, and 2-node cluster configurations are all supported.
Secure Disk Wipe
The latest version of vSAN also supports the secure erasure of drives. This helps avoid the potential exposure of sensitive data when drives are decommissioned or repurposed.
The secure disk wipe feature is based on NIST standards and is executed through PowerCLI or API calls. Only drives that were decommissioned from a vSAN disk group are eligible. It is possible to securely wipe a single drive or multiple drives in parallel. NVMe, SAS, and SATA flash (SSD) devices are supported. Magnetic drives (HDD) are not supported. See the VMware Compatibility Guide (VCG) for vSAN to determine what ReadyNodes are compatible with the secure disk wipe feature.
Figure 4. Find supported ReadyNodes in the VMware Compatibility Guide
Below are a couple of screenshots showing sample PowerCLI commands.
Figure 5. Secure disk wipe PowerCLI commands (1 of 2)
Figure 6. Secure disk wipe PowerCLI commands (2 of 2)
You can see evidence of the disk wipe activities in /var/run/log/vmkernel.log.
Summary
VMware Cloud Foundation built on HCI with vSAN continues to lead the industry with security that is native to vSAN and vSphere. vSAN 7 Update 1 introduces data-in-transit encryption that is easily enabled without needing an external KMS. This approach minimizes complexity while providing the necessary security for sensitive, business-critical data. vSAN Skyline Health naturally includes a health check for data-in-transit encryption to help ensure the highest levels of security and quick notification if an issue does occur. Secure disk wipe provides an additional option to protect sensitive data when decommissioning and repurposing flash devices used in a vSAN cluster. These new features are part of VMware’s intrinsic security approach to protecting your organization. Learn more about simplifying and strengthening your environment using infrastructure to secure any app, any cloud, any device.
@jhuntervmware
