How to: Configuring vSphere/vSAN Encryption
Encryption: One word that means a lot of different things. Often times it is not understood. Within the last few years, encryption has become not only more prevalent, but required in some instances. There are several different types of encryption: At rest, in flight, etc.
According to Wikipedia,
“Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.”
The need for encryption has been needed now more than ever. Most companies now suggest enabling encryption as a best practice. Additionally, most auditors now like to see companies use encryption when possible for compliance reasons. With that said, there are several different avenues and vehicles that can meet those requirements, which includes, but are not limited to: At rest encryption within a storage array with or without Self Encrypting Drives, in flight encryption from applications, and hardware based encryption, etc. One way of offering encryption is with a technology called KMS. KMS Stands for “Key Management Service”. KMS doesn’t itself do the heavy lifting of encryption, rather it controls the keys, which are used to do the actual encryption. Without these keys, data is locked and with them, data can become unlocked.
vSphere/vSAN offers encryption, starting in 6.5. It allows for the encrypting of data (VMDK) to protect from unauthorized access. One of the great things about vSphere/vSAN encryption is that you only need 6.5 (Enterprise Plus), and a KMS Keystore. This is a great solution for those who have an encryption requirement, but don’t have the underlying storage to facilitate encryption (important note: KMS also works with some storage arrays, but mileage varies). One of the best features of vSphere/vSAN encryption is the ability to do encryption polices within vSphere for all or select VMs within vSphere using VM Storage Policies.
This would be very beneficial for a number of ways, for example, it would prevent a user from downloading a VM and importing it into another environment to access.
Townsend Security has an NFR program for vExperts. Since I am a vExpert, I thought I would give them a try. The setup was very easy. They also assisted me with a few issues. They should be worth a look for customers needing KMS encryption. You do not have to be a vExpert to try this product! Without NFR, you still get a 30 day trial.
There are several different types of supported KMS Key Stores that VMware supports, but ensure it is using the KMIP Standard and supported on VMWare’s compatibility list. To get started, download the VMware OVA from Townsend.
Step 1: Download the OVA.
To get started, download the OVA. You can download the free trial here. Once downloaded, you can deploy within your VMware environment. Within vSphere, select deploy OVA.
Step 2: Deploy OVA
Select the AKM_VM.OVA download.
Select a resource to deploy to.
Ensure compatibility checks succeed, then select next.
Review details and select next.
Once you have selected your storage, you are ready to deploy.
Finalize networks and select next.
Select Finish, and deploy the OVA. Once deployed, you can go through the quick start guide configure. For full documentation, check this link.
Navigate to obtain console access and login with the default user name and password. Use the default login of admin and the default password OOHXPq6r530N6re
Once logged in, type akm-menu.
Select “Yes” to accept the EULA.
Select (1) to Initialize AKM.
Select (1) to Initialize as Primary.
Select Country Code, State, City, Organization, Unique name, and YES to create default encryption keys. You can always create more keys later.
Document the location from within the appliance that the previous generated certs will be located, which is /home/admin/downloads/
Document the IP address by logging into the console, Type 4 to get back to the shell. Type ifconfig to obtain the IP address, which will be needed later. This is given via DHCP when you deploy the appliance. You can change it later by logging into the WEBUI of the appliance.
Use the default login of admin and the default password OOHXPq6r530N6re
Next, use a program like WinSCP to download the certificates using the IP address and username password as above. Use the default login of admin and the default password OOHXPq6r530N6re
Ensure you have the above selected certificates available. You will need the AKMAdminCertificate.pem and the AKMAdminPrivateKey.pem for upload later.
Step 3: Establish Trust
Next, go to you top level vCenter Server, go to configure then select Key Management Server. Select ADD.
Enter your server name and IP Address. Ensure you use port 5696 for the Server Port! Be sure to keep the username and password empty.
Allow the vCenter to Trust the KMS.
Next, select Make KMS TRUST vCenter.
Select the “KMS certificate and private key” and select next.
Select AKMAdminCertificate.pem for the KMS Certificate and the AKMAdminPrivateKey.pem for the KMS Private Key. Then select Establish Trust.
You should now have both vCenter and KMS listed as trusted. Once you have completed these steps, you will have successfully deployed a KMS Key Store within vSphere. However, we still haven’t done any actual encryption yet of the VMs. I will do a follow up blog stating how to encrypt VMs with Storage Policies.
Finally, if you want to log into the appliance WEBUI, go to the IP address with port 3886. <IP:3886>
Use the default login of admin and the default password OOHXPq6r530N6r
From here you can change and configure a number of different items.