VMworld 2016: vSphere Encryption Deep Dive

External Threats

  • Nation states, profit motive, highly skilled, social engineering

Internal Threats

  • Snowden.
  • Admins who abuse privileges
  • Physical access to data

VMware’s Vision for security – Secure Access, Secure Infrastructure, Secure Data

VM Encryption Preview

  • Encryption managed via storage policies – Encryption done in ESXi kernel, uses AES-NI, and uses XTS-AES-256.
  • No modification within the guest. VM agnostic.
  • Policy driven. Full support of vMotion and vMotion is encrypted.
  • Uses an external KMS (KMIP compliant)
  • VMDKs are encrypted along with external files such as VMX, snapshots, etc.

Who manages VM encryption?

  • Security admin will manage your KMS and keys
  • Subset of vSphere admins will manage encryption within vSphere

vCenter RBAC has been enhanced for granular encryption control. For example, prevent admins from downloading encrypted VMDKs or opening a console to an encrypted VM.

Key Managers

  • KMIP 1.1 compliant key managers
  • Tested a variety such as Thales, HyTrust, etc.

Key Management Best Practices

  • KMS keys are pushed to all hosts for HA purposes
  • Multiple key managers are supported
  • Expired keys will not be used for new encryption operations. No deep re-encryption needed with new VM key. Shallow re-key operation.
  • No KMS means no booting of encrypted VMs
  • KMS needs to be as reliable as DNS. It must be highly available.

Core Dumps

  • Core dumps are encrypted with a host key
  • Logs are not encrypted
  • You can re-encrypt the core dump with a password (e.g. GSS support needs)
  • Always collect support bundle with a password
  • Uses OpenSSL for core re-keys

Backup, Restore and VM Best Practices

  • SAN mode backups are not supported (use hot-add).
  • No API changes for backup products
  • Backup proxy VM must be encrypted.
  • Backup service account needs cryptographer.directaccess permission
  • Backup data is not backed up encrypted
  • Have a policy in place to re-encrypt a restored VM
  • Backup solution should provide its own encryption solution
  • Don’t encrypt vCenter or your PSCs

Encrypted vMotion

  • 3 modes: Disabled, Opportunistic, Required
  • Configure vMotion encryption from vCenter GUI
  • One-time usage key for each vMotion
  • Set vMotion encryption via PowerShell as well


Print Friendly, PDF & Email

Related Posts

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
September 28, 2017 9:09 am

can you encrypt one vdmk for a vm with this? use case: we have a file server but want to ad another drive to it that is ecrypted for PII data