How to: Enabling vSphere/vSAN Encryption

How to: Enabling vSphere/vSAN Encryption

Previously, I wrote a blog post on how to configure vSAN/vSphere encryption. This was just the first step of a two step process. The first step, as previously stated, was how to deploy and configure the KMS Keystore. Without the KMS Keystore, encryption can’t occur. However once that is deployed, enabling vSphere/vSAN encryption is as simple as toggling a switch! Check out this post before proceeding.

Within this blog post I will go over both methods, which include:

1) Per VM Encryption in vSphere
2) vSAN Encryption

Part 1: Enable and Configure per VM encryption within vSphere

To get started log into vSphere so that a new encryption policy can be created. It’s always best to create a new one to not only show how to, but also leave the defaults as defaults.

Capture2

Select Menu, then Policies and Profiles.

Capture1

Select VM Storage Policies. 

Capture3

Create new VM Storage Policies.

Capture4

Name the policy.

Capture5

Ensure Enable host based rules is selected.

Capture6

Select Use Storage Policy components “Default Encryption properties” is selected.

Capture7

You should see all available Datastores.

Capture8

Select finish. You have successfully created a VM Encryption policy. Alternatively, you can use the default “VM Encryption Policy”. 

Now that you have created a Policy, you can not select a VM to encrypt.

Capture

Select a VM and go to edit, the VM Options.

Capture2

Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier.

Capture3

Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted.

Capture4

Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time.

CaptureFinal

Once completed, you should see a lock showing you that the VM is now encrypted!

Part 2: Enable and Configure vSAN encryption 

To get started, log into vSphere, then go to your vSAN DataCenter and vSAN Cluster.

Capture

Go to configure, then go to vSAN and select Services. Note the Encryption is set to disabled. Select Edit.

Capture2PNG

Toggle Encryption to ON.

Capture3

Select KMS Cluster, which was previously deployed. Select Apply.

Capture1

The cluster will now reconfigure to enable Encryption.

Capture2

Several Disk and Disk Groups will be reconfigured.

Capture3

You may see Disks added or removed from the cluster.

Capture4

Additionally, you may see some Entity Scanned, etc.

Capture5

Wait until all tasks have completed.

Capture2

Select a VM and go to edit, the VM Options. Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier. Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted. Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time, and once completed you should see a lock indicating you VM is now encrypted!

Note: You can create additional policies or use defaults. vSphere should come with a default VM Encryption Policy and a vSAN policy. You can edit and select different ones, the process is the same. Best practice is to create new policies with you exact requirements.