- Nation states, profit motive, highly skilled, social engineering
- Admins who abuse privileges
- Physical access to data
VMware’s Vision for security – Secure Access, Secure Infrastructure, Secure Data
VM Encryption Preview
- Encryption managed via storage policies – Encryption done in ESXi kernel, uses AES-NI, and uses XTS-AES-256.
- No modification within the guest. VM agnostic.
- Policy driven. Full support of vMotion and vMotion is encrypted.
- Uses an external KMS (KMIP compliant)
- VMDKs are encrypted along with external files such as VMX, snapshots, etc.
Who manages VM encryption?
- Security admin will manage your KMS and keys
- Subset of vSphere admins will manage encryption within vSphere
vCenter RBAC has been enhanced for granular encryption control. For example, prevent admins from downloading encrypted VMDKs or opening a console to an encrypted VM.
- KMIP 1.1 compliant key managers
- Tested a variety such as Thales, HyTrust, etc.
Key Management Best Practices
- KMS keys are pushed to all hosts for HA purposes
- Multiple key managers are supported
- Expired keys will not be used for new encryption operations. No deep re-encryption needed with new VM key. Shallow re-key operation.
- No KMS means no booting of encrypted VMs
- KMS needs to be as reliable as DNS. It must be highly available.
- Core dumps are encrypted with a host key
- Logs are not encrypted
- You can re-encrypt the core dump with a password (e.g. GSS support needs)
- Always collect support bundle with a password
- Uses OpenSSL for core re-keys
Backup, Restore and VM Best Practices
- SAN mode backups are not supported (use hot-add).
- No API changes for backup products
- Backup proxy VM must be encrypted.
- Backup service account needs cryptographer.directaccess permission
- Backup data is not backed up encrypted
- Have a policy in place to re-encrypt a restored VM
- Backup solution should provide its own encryption solution
- Don’t encrypt vCenter or your PSCs
- 3 modes: Disabled, Opportunistic, Required
- Configure vMotion encryption from vCenter GUI
- One-time usage key for each vMotion
- Set vMotion encryption via PowerShell as well