How to: Enabling vSphere/vSAN Encryption

How to: Enabling vSphere/vSAN Encryption

Previously, I wrote a blog post on how to configure vSAN/vSphere encryption. This was just the first step of a two step process. The first step, as previously stated, was how to deploy and configure the KMS Keystore. Without the KMS Keystore, encryption can’t occur. However once that is deployed, enabling vSphere/vSAN encryption is as simple as toggling a switch! Check out this post before proceeding.

Within this blog post I will go over both methods, which include:

1) Per VM Encryption in vSphere
2) vSAN Encryption

Part 1: Enable and Configure per VM encryption within vSphere

To get started log into vSphere so that a new encryption policy can be created. It’s always best to create a new one to not only show how to, but also leave the defaults as defaults.

Capture2

Select Menu, then Policies and Profiles.

Capture1

Select VM Storage Policies. 

Capture3

Create new VM Storage Policies.

Capture4

Name the policy.

Capture5

Ensure Enable host based rules is selected.

Capture6

Select Use Storage Policy components “Default Encryption properties” is selected.

Capture7

You should see all available Datastores.

Capture8

Select finish. You have successfully created a VM Encryption policy. Alternatively, you can use the default “VM Encryption Policy”. 

Now that you have created a Policy, you can not select a VM to encrypt.

Capture

Select a VM and go to edit, the VM Options.

Capture2

Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier.

Capture3

Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted.

Capture4

Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time.

CaptureFinal

Once completed, you should see a lock showing you that the VM is now encrypted!

Part 2: Enable and Configure vSAN encryption 

To get started, log into vSphere, then go to your vSAN DataCenter and vSAN Cluster.

Capture

Go to configure, then go to vSAN and select Services. Note the Encryption is set to disabled. Select Edit.

Capture2PNG

Toggle Encryption to ON.

Capture3

Select KMS Cluster, which was previously deployed. Select Apply.

Capture1

The cluster will now reconfigure to enable Encryption.

Capture2

Several Disk and Disk Groups will be reconfigured.

Capture3

You may see Disks added or removed from the cluster.

Capture4

Additionally, you may see some Entity Scanned, etc.

Capture5

Wait until all tasks have completed.

Capture2

Select a VM and go to edit, the VM Options. Select the Encryption drop down and select the KMS01 Encryption Policy, which was created earlier. Select the individual Disk to encrypt, you can select one or both for more granular Disk Encryption options. Only the selected Disk will be encrypted. Once you hit “OK” the Reconfiguration of the VM will begin. This will take some time, and once completed you should see a lock indicating you VM is now encrypted!

Note: You can create additional policies or use defaults. vSphere should come with a default VM Encryption Policy and a vSAN policy. You can edit and select different ones, the process is the same. Best practice is to create new policies with you exact requirements.

VMware HomeLab: SuperMicro E300-8D

Well the day is finally here, the day that I can share that I’ve successfully purchased my very own HomeLab! This has been a source of struggle for me, since I’ve always wanted a HomeLab. I entertained and researched various setups, including the Intel NUC. During my search I came across the SuperMicro E300-8D, which supports up to 128GB of RAM. For more information on the E300-8D, check out SuperMicro’s Website.   It was the perfect price point and it allowed me to get the most out of my investment. It fit what I was looking for, which was a small footprint server that didn’t require much power. Additionally I wanted something quiet. While some have complained about the noise, I don’t believe it’s an issue with the stock fans, so long that it isn’t located within a sleeping area. The Server is setup in my Home Office.  I also wanted to ensure I had plenty of memory so that I wouldn’t have any issues when provisioning a nested ESXi vSAN Lab.

Continue reading “VMware HomeLab: SuperMicro E300-8D”

Day One Recap: VMworld 2018

vmworld-vmvillage-vmworld-sign

Wow! What an amazing day of announcements from VMworld 2018! If you didn’t already know, today was the first day of VMworld 2018, and it didn’t disappoint! Although I’ve never been to VMworld, I always follow each years event closely. With that said, I will be blogging each day to recap the major highlights and developments from the event.

Continue reading “Day One Recap: VMworld 2018”

Becoming a vSAN Specialist: Section 3 – vSAN Configuration

VSAN-featured

In this section, I will go over the following objectives found within the VMware vSAN Specialist Blueprint: Objective 3.1 – Identify physical network requirements

Objective 3.1 – Identify physical network requirements

Let’s start with the network basics.

  1. Dedicated network port for vSAN traffic
  2. 10GB (dedicated or shared) highly recommended, required for all flash deployments) <1ms latency
  3. 1GB dedicated for hybrid setups. Real work environments would suffer with 1GB (Minus ROBO) <1ms latency
  4. vSAN VMkernal port required for each ESXi host, even if it isn’t contributing storage
  5. ESXi hosts within a vSAN cluster must all utilize Layer 2/3 upstream

Continue reading “Becoming a vSAN Specialist: Section 3 – vSAN Configuration”

Becoming a vSAN Specialist: Section 2 – vSAN Fundamentals

VSAN-featured

In this section, I will go over the following objectives found within the VMware vSAN Specialist Blueprint: Section 2 – vSAN Fundamentals

Objective 2.1 – Provide a high-level description of vSAN

Introduction to vSAN

vSAN is an enterprise-class software storage solution built directly into the VMware platform. It runs on commodity hardware (x86) or vSAN Ready nodes.  What does this mean? Instead of having a separate software solution controlling the storage, the actual ESXi hosts alongside with vSphere have the vSAN technology (Software Defined Storage) built directly into the kernel/software. This software then utilizes the commodity hardware (compute, storage, network) within the host/appliance to create the perfect marriage of virtualization and software defined storage. It utilizes storage policies to intelligently place VM objects on underlying local storage. This is the special sauce that makes vSAN so great. It automates storage on many levels, which in turn leads to significant simplification with regards to how storage is provisioned and managed.

Why is this important? Instead of having to buy separate software, you can utilize this software since it’s already a part of vSphere. This in combination with local disk installed within x86 hardware makes the vSAN solution a truly modern and software defined solution. This reduces costs and complexity.

Continue reading “Becoming a vSAN Specialist: Section 2 – vSAN Fundamentals”

Becoming a vSAN Specialist: Section 1 – Storage Fundamentals

VSAN-featured

In this section, I will go over the following objectives found within the VMware vSAN Specialist Blueprint: Section 1- Storage Fundamentals

Objective 1.1 – Identify storage device characteristics

vSAN is very similar to today’s traditional storage technologies; however, there are some key differences and unique configurations vSAN utilizes to make it the technology it is today. Here are some of the storage device characteristics that make vSAN hum. These are also requirements in order to use vSAN. Be sure to check out the HCL for vSAN, as it’s the TRUTH and should always be followed to ensure success!

Continue reading “Becoming a vSAN Specialist: Section 1 – Storage Fundamentals”