How to: Enabling vSphere/vSAN Encryption

How to: Enabling vSphere/vSAN Encryption

Previously, I wrote a blog post on how to configure vSAN/vSphere encryption. This was just the first step of a two step process. The first step, as previously stated, was how to deploy and configure the KMS Keystore. Without the KMS Keystore, encryption can’t occur. However once that is deployed, enabling vSphere/vSAN encryption is as simple as toggling a switch! Check out this post before proceeding.

Within this blog post I will go over both methods, which include:

1) Per VM Encryption in vSphere
2) vSAN Encryption

Part 1: Enable and Configure per VM encryption within vSphere

To get started log into vSphere so that a new encryption policy can be created. It’s always best to create a new one to not only show how to, but also leave the defaults as defaults.

Capture2

Select Menu, then Policies and Profiles.

Capture1

Select VM Storage Policies. 

Capture3

Create new VM Storage Policies.

Capture4

Name the policy.

Capture5

Ensure Enable host based rules is selected.

Capture6

Select Use Storage Policy components “Default Encryption properties” is selected.

Capture7

You should see all available Datastores.

Capture8

Select finish. You have successfully created a VM Encryption policy. Alternatively, you can use the default “VM Encryption Policy”. 

Now that you have created a Policy, you can not select a VM to encrypt.

Capture

Select a VM and go to edit, the VM Options.

Capture2

Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier.

Capture3

Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted.

Capture4

Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time.

CaptureFinal

Once completed, you should see a lock showing you that the VM is now encrypted!

Part 2: Enable and Configure vSAN encryption 

To get started, log into vSphere, then go to your vSAN DataCenter and vSAN Cluster.

Capture

Go to configure, then go to vSAN and select Services. Note the Encryption is set to disabled. Select Edit.

Capture2PNG

Toggle Encryption to ON.

Capture3

Select KMS Cluster, which was previously deployed. Select Apply.

Capture1

The cluster will now reconfigure to enable Encryption.

Capture2

Several Disk and Disk Groups will be reconfigured.

Capture3

You may see Disks added or removed from the cluster.

Capture4

Additionally, you may see some Entity Scanned, etc.

Capture5

Wait until all tasks have completed.

Capture2

Select a VM and go to edit, the VM Options. Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier. Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted. Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time, and once completed you should see a lock indicating you VM is now encrypted!

Note: You can create additional policies or use defaults. vSphere should come with a default VM Encryption Policy and a vSAN policy. You can edit and select different ones, the process is the same. Best practice is to create new policies with you exact requirements.

How to: Configuring vSphere/vSAN Encryption

How to: Configuring vSphere/vSAN Encryption

Encryption: One word that means a lot of different things. Often times it is not understood.  Within the last few years, encryption has become not only more prevalent, but required in some instances.  There are several different types of encryption: At rest, in flight, etc.

According to Wikipedia,
“Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.”

The need for encryption has been needed now more than ever. Most companies now suggest enabling encryption as a best practice. Additionally, most auditors now like to see companies use encryption when possible for compliance reasons. With that said, there are several different avenues and vehicles that can meet those requirements, which includes, but are not limited to: At rest encryption within a storage array with or without Self Encrypting Drives,  in flight encryption from applications, and hardware based encryption, etc. One way of offering encryption is with a technology called KMS. KMS Stands for “Key Management Service”. KMS doesn’t itself do the heavy lifting of encryption, rather it controls the keys, which are used to do the actual encryption. Without these keys, data is locked and with them, data can become unlocked.

vSphere/vSAN offers encryption, starting in 6.5. It allows for the encrypting of data (VMDK) to protect from unauthorized access. One of the great things about vSphere/vSAN encryption is that you only need 6.5 (Enterprise Plus), and a KMS Keystore. This is a great solution for those who have an encryption requirement, but don’t have the underlying storage to facilitate encryption (important note: KMS also works with some storage arrays, but mileage varies). One of the best features of vSphere/vSAN encryption is the ability to do encryption polices within vSphere for all or select VMs within vSphere using VM Storage Policies.

This would be very beneficial for a number of ways, for example, it would prevent a user from downloading a VM and importing it into another environment to access.

Townsend Security has an NFR program for vExperts. Since I am a vExpert, I thought I would give them a try. The setup was very easy. They also assisted me with a few issues. They should be worth a look for customers needing KMS encryption. You do not have to be a vExpert to try this product! Without NFR, you still get a 30 day trial.

There are several different types of supported KMS Key Stores that VMware supports, but ensure it is using the KMIP Standard and supported on VMWare’s compatibility list. To get started, download the VMware OVA from Townsend.

Continue reading “How to: Configuring vSphere/vSAN Encryption”

How to: Installing VMware Skyline

What’s Skyline?

I’ve had a few people ask me about VMware Skyline, so I thought it would be a good bit to blog on. So, with that said, what is VMware Skyline? Accordingly to VMware Skyline Documentation, VMware Skyline is a proactive support service that provides recommendations for not only vSphere, but NSX, vSAN, vRealize Operations and Horizon.

“VMware Skyline™ is a proactive support service aligned with VMware Global Support Services. VMware Skyline automatically and securely collects, aggregates, and analyzes product usage data which proactively identifies potential problems and helps VMware Technical Support Engineers improve the resolution time.

This enables richer, more informed interactions between customers and VMware without extensive time investments by Technical Support Engineers. These capabilities transform support operations from reactive, break/fix to a proactive, predictive, and prescriptive experience that produces an even greater return on your VMware support investment.”

Features: One of the best features of Skyline is “Skyline Log Assist”.

This feature allows for support log bundles to be automatically uploaded to VMware Support. Example: Say you are having an issue with your production environment. First, you would open a case with VMware. Second, (if determined), VMware support engineers will request that you upload a support bundle.

Once you approve of the request, VMware support engineers can automatically obtain access to the logs without your intervention. This is a huge step with productivity, since any VMware Administrator can tell you just how time consuming it is to upload files!

I would recommend VMware Skyline to anyone who is running a VMware environment. The challenges of managing a large environment is time consuming, and VMware administrators are having to do more with less time. The more you can automate, the more time one can free up for more pressing issues.

Requirements: VMware Skyline is free download, but it does require a valid production support contract.

The first step to deploying VMware Skyline is to login to your my VMware account and download it. During this time, the latest version is 2.3.02.

1

Accept the End User Agreement

2

The download takes little to no time with the total download time around 500MB.

4

Once downloaded, the Skyline Appliance can be deployed as an OVF.

5

Name the VM and place it within your cluster.

6

Once compatibility checks succeed, click next.

7

Review Deployment Details and click next.

8

Accept all license agreements, and click next.

9

Select an appropriate Datastore to deploy the VM to.

10

Next, select your appropriate networks and enter the correct IP information.

11

Enter a root password to be used to manage the appliance.

12

Confirm all Networking Properties are correct.

13

Once everything looks good, select Finish.

14

The Skyline Appliance will now deploy.

15

Once deployed, the Provisioning Agents will start.

16

Once you have successfully deployed you have access to the console screen, which gives you directions on how to access and manage the appliance. Make sure to put port 5480 at the end of your address <ip>:5480 to access the appliance interface through a browser.

17

Once you have successfully deployed, you can login. The default login and password for the Skyline collector is as follows.

Default login: admin
Default Password: default

19

Finally, once you have successfully logged in for the first time, you need to reset the password. Ensure the character requirements are met and reset the password. Deploying VMware Skyline is just that simple! I will write a followup blog post describing the steps needed to complete the collection process.

 

VMware HomeLab: SuperMicro E300-8D

Well the day is finally here, the day that I can share that I’ve successfully purchased my very own HomeLab! This has been a source of struggle for me, since I’ve always wanted a HomeLab. I entertained and researched various setups, including the Intel NUC. During my search I came across the SuperMicro E300-8D, which supports up to 128GB of RAM. For more information on the E300-8D, check out SuperMicro’s Website.   It was the perfect price point and it allowed me to get the most out of my investment. It fit what I was looking for, which was a small footprint server that didn’t require much power. Additionally I wanted something quiet. While some have complained about the noise, I don’t believe it’s an issue with the stock fans, so long that it isn’t located within a sleeping area. The Server is setup in my Home Office.  I also wanted to ensure I had plenty of memory so that I wouldn’t have any issues when provisioning a nested ESXi vSAN Lab.

Continue reading “VMware HomeLab: SuperMicro E300-8D”

My journey into Presales Engineering

This is a story about my journey into Presales. It’s a rather long story describing how I’ve gotten to this point in my career. The intent isn’t to gloat, but rather paint a picture for those who are also looking to get into Presales. In my opinion, Presales is the pinnacle of IT Careers. This is a rather long read, but a story I believe is worth telling. Throughout my career in IT, I’ve had the opportunity to work with some amazing individuals, as well as great organizations who really cared for their employees. This process has been a journey to say the least.

Continue reading “My journey into Presales Engineering”

How to: Configuring GPU Passthrough on a Virtual Machine

6

GPU Capability on a VM

Recently there’s been a lot of talk regarding Machine Learning, IoT, Big Data, AI, etc. All of these industry buzz words have been the talk of the industry. These technologies now are starting to creep into the world of Virtualization. About ten years ago, it was all about moving away from Physical to Virtual, but now the conversation is starting to shift to a new conversation, which is Virtualization of new and emerging workloads.

Continue reading “How to: Configuring GPU Passthrough on a Virtual Machine”

Central MS VMUG – Q3 Meeting – Presented By Datrium

Datrium_New_Breed_of_Convergence_thumb

Today, the Central MS VMUG had its Q3 meeting. Since I am a VMUG Co-Leader I was able to help setup this meeting, which was my first. Everyone had a great time networking and learning. The food at Lou’s was great as usual!

Continue reading “Central MS VMUG – Q3 Meeting – Presented By Datrium”