How to: Configuring vSphere/vSAN Encryption
Encryption: One word that means a lot of different things. Often times it is not understood. Within the last few years, encryption has become not only more prevalent, but required in some instances. There are several different types of encryption: At rest, in flight, etc.
According to Wikipedia,
“Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.”
The need for encryption has been needed now more than ever. Most companies now suggest enabling encryption as a best practice. Additionally, most auditors now like to see companies use encryption when possible for compliance reasons. With that said, there are several different avenues and vehicles that can meet those requirements, which includes, but are not limited to: At rest encryption within a storage array with or without Self Encrypting Drives, in flight encryption from applications, and hardware based encryption, etc. One way of offering encryption is with a technology called KMS. KMS Stands for “Key Management Service”. KMS doesn’t itself do the heavy lifting of encryption, rather it controls the keys, which are used to do the actual encryption. Without these keys, data is locked and with them, data can become unlocked.
vSphere/vSAN offers encryption, starting in 6.5. It allows for the encrypting of data (VMDK) to protect from unauthorized access. One of the great things about vSphere/vSAN encryption is that you only need 6.5 (Enterprise Plus), and a KMS Keystore. This is a great solution for those who have an encryption requirement, but don’t have the underlying storage to facilitate encryption (important note: KMS also works with some storage arrays, but mileage varies). One of the best features of vSphere/vSAN encryption is the ability to do encryption polices within vSphere for all or select VMs within vSphere using VM Storage Policies.
This would be very beneficial for a number of ways, for example, it would prevent a user from downloading a VM and importing it into another environment to access.
Townsend Security has an NFR program for vExperts. Since I am a vExpert, I thought I would give them a try. The setup was very easy. They also assisted me with a few issues. They should be worth a look for customers needing KMS encryption. You do not have to be a vExpert to try this product! Without NFR, you still get a 30 day trial.
There are several different types of supported KMS Key Stores that VMware supports, but ensure it is using the KMIP Standard and supported on VMWare’s compatibility list. To get started, download the VMware OVA from Townsend.