- VCP-DCV 2020 objective 1.6.4: Describe vSphere high availability - Mon, Sep 21 2020
- VMware vSphere with Tanzu: vSphere 7 Update 1 - Wed, Sep 16 2020
- Correct update order for VMware vSphere 7 and associated products - Fri, Sep 4 2020
This feature will encrypt the VM configuration file (VMX), the swap files of the VM, and the VMDK file. This means it will encrypt live memory content and data. As I/O comes out of the VM's virtual disk controller, a module in the kernel of an ESXi host immediately encrypts it before sending it to the kernel storage layer.
VM Encryption in vSphere 6.5: How does it work? ^
Before you can use vSphere VM Encryption to perform encryption operations, you must connect your vCenter Server to a key management server (KMS).
Through the vSphere client, right-click vCenter server > Settings > Configure tab > Key management servers > Add KMS.
VMware provides and supports many different KMSes. You might want to check this VMware knowledge base (KB) article detailing the setup: Connect a vCenter Server System to a Key Management Server (KMS). Note that VM keys do not persist in vCenter.
vSphere VM Encryption: The three main components ^
- External KMS: a separate VM (or physical machine) that distributes keys.
- vCenter server: requests keys from the KMS and distributes those keys as needed to ESXi hosts.
- ESXi host: pushes the key encryption keys (KEKs) to the host from the vCenter server. The host uses the KEKs to generate the data encryption keys (DEKs), which it then uses for encrypting and decrypting VM files. It uses KEKs to encrypt the DEKs and stores these encrypted DEKs in configuration files.
Where to manage the encryption? ^
You need to apply the policy to the VM. So select your VM and go to Configure > Policies > Edit VM Storage Policies.
After validating the selection, vSphere will encrypt the VM.
vMotion encryption ^
It is possible to use the new vMotion encryption side by side with VM disk encryption. So even during the vMotion process, this will secure and protect your data against sniffing or man-in-the-middle attacks.
The vMotion encryption feature secures confidentiality, integrity, and authenticity of data transferred with vMotion. Encrypted Motion supports all variants of Motion for unencrypted VMs, with migration support across vCenter server systems. However, VMware does not support migration across vCenter server systems for encrypted VMs.
Through the VM hardware option in the vSphere client, simply select a VM and then go to Edit settings > VM Options > Encryption.
You can also apply vMotion encryption on per-VM level. When migrating a VM using vMotion, vCenter server generates a random 256-bit key (yet uses no KMS for this process).
As you can see in the screenshot below, there are three options to choose from depending on whether the destination host supports encryption or not:
For each option, VMware VM Encryption checks the source, the destination ESXi host, the version of ESXi running, and whether it supports encryption. If this isn't the case, it does not execute the vMotion operation.
These are the three options you can set:
- Disabled: don't use encrypted vMotion.
- Opportunistic: use when the source and destination hosts support encryption.
- Required: encrypted vMotion only. If the source or destination host does not support encrypted vMotion, migration with vMotion fails.
For the Required option, vMotion encryption is always set to it for encrypted VMs, though unencrypted VMs can optionally use it too.
When you encrypt a VM, it keeps a record of the current encrypted vSphere vMotion setting. If you later disable encryption for the virtual machine, the encrypted vMotion setting stays as Required until you change the setting explicitly.
You can enable or disable encrypted vMotion in the VM's settings.
No cryptography administrator role ^
You can assign a No cryptography administrator role to vCenter server users who do not need cryptographic operation privileges. This is to avoid situations where several enterprise administrators work in a team, and you do not want to assign them the cryptographic operations privilege.
So in this case you would simply give them a No cryptography administrator role, which would still allow them to manage all vSphere infrastructures. To set this role, go to Administration > Global Permissions > Manage > pick a user > Edit.
VM Encryption and vMotion encryption are additional steps forward for securing VMware infrastructures. VM Encryption adds a little CPU overhead, true. But compared to what it offers, it is a small price to pay.