VMware Virtual SAN 6.0: Data Encryption with Hytrust DataControl


Customers from different industries and institutions are very interested in Virtual SAN as a storage solution not just because of the technological value it delivers today, but because of the product’s undeniable value around operational efficiency, ease of management, and flexibility.

Some of these customers are from financial, healthcare and government institutions, and conduct their business in areas that are governed by regulatory compliance laws such as HIPPA, PCI-DSS, FedRAMP, Sarbanes-Oxley, etc. These laws demand compliance with numerous security measures, one of them being the ability to guarantee data integrity by securing data with some form of encryption.

Today Virtual SAN does not include encryption as one of its data services as this feature is currently under development for a future release. Now, when considering Virtual SAN as a potential solution wherever data encryption is a requirement based on regulatory compliance laws, it’s important to know what options are currently available.

In Virtual SAN the encryption data service capabilities are offloaded to hardware-based offerings available through Virtual SAN Ready Nodes. Data encryption data services are exclusively supported on Virtual SAN Ready Node appliances that are comprised with all of the certified and compatible hardware devices that provide encryption capabilities such as self-encrypting drives, and/or storage controllers. The Virtual SAN Ready Node appliances are offered by just about all the OEM hardware vendors that are part of VMware’s ecosystem.

An alternative option to the Virtual SAN Ready Nodes is a software based solution developed and offered by a company called Hytrust. Hytrust is one of the members of VMware’s partner ecosystem whose business is focused around the delivery of data security services for private and public cloud infrastructures. The solution I want to highlight in particular is called Hytrust DataControl.

Hytrust DataControl is a software-based solution that is designed with the capability of protecting virtual machines and their data throughout their entire lifecycle (from creating to decommission). Hytrust DataControl delivers both encryption and key management services.

This solution is built specifically to address the unique requirements of private, hybrid and public clouds, combining robust security, easy deployment, exceptional performance, infrastructure independence, and operational transparency. Hytrust DataControl ease of deployment and management capabilities complies with one of the main principles of Virtual SAN which is simplicity and ease of management.

Hytrust DataControl virtual machine edition is based on a software agent that encrypts data from within the Windows or Linux operating system of a virtual machine, ensuring protection and multi-tenancy of data in any infrastructure. DataControl also allows you to transfer files between VMs, so you can securely migrate stored data from your private to the public cloud.

The deployment of the Hytrust DataControl solution and installation and configuration of the software is done in a couple of easy steps which take just a few minutes. Once the software is resident, any data written to storage by an application will be encrypted both in motion, as it travels securely through the hypervisor and network, and also at rest on the Virtual SAN datastore.


Note: The agent download and configuration steps can be mitigated with the use of virtual machine templates. Also the entire configuration can be automated via the Hytrust Command Line Interface (hlc).

The demonstration below showcases the procedure to enable the Hytrust DataControl encryption services on a single virtual machine. The application that is being protected is Tier 1 a database server (SQL Server 2014) that is currently residing on Virtual SAN datastore with an availability requirement of FTT=1. The virtual machine is levering the performance and availability capabilities delivered by Virtual SAN. The demonstration also highlights the ease of management and configuration of the solution from the key manager registration to the actual encrypting of the drives. The demonstration also displays the centralized and control management capability for managing the addition and removal of encrypted resources.

Hytrust DataControl Supported Operating Systems

  • Windows 2012 Server R2 with Service Pack 1
  • Windows 2008 Server
  • Windows 7 64-Bit with Service Pack 1
  • Centos 5.8, 6.2, and 6.3
  • Ubuntu 10.04 server and desktop
  • Ubuntu 12.04 server
  • Ubuntu 12.10 server
  • Red Hat Enterprise Linux Server 6
  • Debian 6.0.7 (requires cryptsetup)
  • Savvis Linux – Red Hat Enterprise Linux Server 5.3 and 6.1

Some of Hytrust’s DataControl capabilities and benefits include:

Strong FIPS-Approved Encryption – Hytrust DataControl encrypts data using AES-128/256, ensuring VMs are secure from the time they are created until they are securely decommissioned.

Key Management – Hytrust KeyControl provides a highly-available security- hardened key management system that is simple to deploy and easy to use. KeyControl is a locked-down virtual appliance (though it can also be installed on physical hardware). KeyControl is fully multi-tenant and supports active-active clustering for availability. The appliance can be installed on your premise or at your service provider (vCloud Air). Administrators define policies for key retention or zero-downtime rekeying in accordance with compliance or other requirements.

Hardware-Accelerated Performance – Hytrust DataControl automatically detects and leverages AES-NI hardware acceleration built into most modern Intel and AMD chipsets, ensuring minimal latency.

Transparency – Hytrust DataControl is deployed into the operating system of the virtual machine and is completely transparent to applications and users. Administrators can manage their infrastructure with the same tools they always have, with no change to process.

As organizations seek to build multi-tenant and private cloud infrastructures, as well as adopt hybrid and public clouds, Hytrust DataControl can be utilized to mitigate the risk of data exposure, by locking down data in a way that is optimized to work with the highly dynamic nature of virtual infrastructure.

Hytrust DataControl solution is comprised of the following major components:

HyTrust KeyControl Nodes and clusters – supporting an active-active cluster, the KeyControl cluster stores keys, policies and configuration data related to the cluster, or any number of virtual machines where HyTrust DataControl Policy Agent is installed. Administration of the system is through a web-browser-based GUI or through a set of REST-based APIs. Communications between the browser and the KeyControl cluster is over HTTPS. Since this is a full active-active cluster, the browser can point at any KeyControl node in the cluster. Any changes made are immediately reflected on all cluster nodes.

HyTrust DataControl Policy Agent – the HyTrust DataControl Policy Agent (the DataControl agent) is a software module that runs inside Windows and Linux virtual machines, either local or in a private, public or hybrid cloud, providing encryption of virtual disks and individual files. The DataControl agent is typically used to provide encryption of virtual machines (or physical servers) in the data center. All VMs that have the DataControl agent installed can also securely share encrypted files. Encryption keys (keyIDs) can be used by selected VMs to encrypt and decrypt files. Encrypted files can also be sent to cloud storage such as vCloud Air and only accessed by the selected VMs where the DataControl agent is installed.

Hytrust DataControl solution features:

  • Hytrust appliances based on Hytrust hardened FreeBSD OS
  • Hytrust KeyControl Nodes and Clusters
  • Web based administrative Interface
  • REST based API
  • Flexible administrative framework suitable for small and large organizations
  • Key Management capability services
  • Secured authentication of new nodes
  • Secure protocol support between nodes
  • Support for VM in-guest encryption using the Hytrust DataControl Policy Agent
  • Secure data migration

Hytrust KeyControl virtual appliance characteristics:

  • Hytrust SecureOS
  • Single vCPU
  • 1 GB of RAM
  • 1 Virtual Disk
  • 1 Network Adapter

Overall, the data encryption features and capabilities provided by the Hytrust DataControl solution can very easily be utilized for virtual machines and their applications stored on VMware Virtual SAN in a private datacenter and expanded for hybrid cloud services such as vCloud Air. For more detailed information about Hytrust DataControl please visit the Hytrust product page.

Hytrust DataControl Product Page

– Enjoy

For future updates on Virtual SAN (VSAN), vSphere Virtual Volumes (VVols) and other Software-defined Storage technologies as well as vSphere + OpenStack be sure to follow me on Twitter: @PunchingClouds.