How to: Enabling vSphere/vSAN Encryption

How to: Enabling vSphere/vSAN Encryption

Previously, I wrote a blog post on how to configure vSAN/vSphere encryption. This was just the first step of a two step process. The first step, as previously stated, was how to deploy and configure the KMS Keystore. Without the KMS Keystore, encryption can’t occur. However once that is deployed, enabling vSphere/vSAN encryption is as simple as toggling a switch! Check out this post before proceeding.

Within this blog post I will go over both methods, which include:

1) Per VM Encryption in vSphere
2) vSAN Encryption

Part 1: Enable and Configure per VM encryption within vSphere

To get started log into vSphere so that a new encryption policy can be created. It’s always best to create a new one to not only show how to, but also leave the defaults as defaults.

Select Menu, then Policies and Profiles.

Select VM Storage Policies. 

Create new VM Storage Policies.

Name the policy.

Ensure Enable host based rules is selected.

Select Use Storage Policy components “Default Encryption properties” is selected.

You should see all available Datastores.

Select finish. You have successfully created a VM Encryption policy. Alternatively, you can use the default “VM Encryption Policy”. 

Now that you have created a Policy, you can not select a VM to encrypt.

Select a VM and go to edit, the VM Options.

Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier.

Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted.

Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time.

Once completed, you should see a lock showing you that the VM is now encrypted!

Part 2: Enable and Configure vSAN encryption 

To get started, log into vSphere, then go to your vSAN DataCenter and vSAN Cluster.

Go to configure, then go to vSAN and select Services. Note the Encryption is set to disabled. Select Edit.

Toggle Encryption to ON.

Select KMS Cluster, which was previously deployed. Select Apply.

The cluster will now reconfigure to enable Encryption.

Several Disk and Disk Groups will be reconfigured.

You may see Disks added or removed from the cluster.

Additionally, you may see some Entity Scanned, etc.

Wait until all tasks have completed.

Select a VM and go to edit, the VM Options. Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier. Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted. Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time, and once completed you should see a lock indicating you VM is now encrypted!

Note: You can create additional policies or use defaults. vSphere should come with a default VM Encryption Policy and a vSAN policy. You can edit and select different ones, the process is the same. Best practice is to create new policies with you exact requirements.