Xtravirt — How to enable up VMware vSAN Encryption

1.5M ratings
277k ratings

See, that’s what the app is perfect for.

Sounds perfect Wahhhh, I don’t wanna

How to enable up VMware vSAN Encryption

By Curtis Brown

Introduction

This little post is a ‘how to guide’ for enabling encryption on VMware vSAN.  To do this, we’ll need a few ingredients:

  • A VMware vSphere 6.5 cluster with VMware vSAN enabled
  • A Key Management Server Solution (KMS)

The Key Management Server (not to be mistaken for Microsoft’s license key solution) provides encryption keys for vSAN encryption.  This should be a robust solution (ideally, multiple nodes) as without this, vSAN becomes inaccessible!  Also, a tip – don’t put your KMS solution in the vSAN you’re about to encrypt, that would be a really bad idea!

In the case of the estate stood up for this blog post, HyTrust KeyControl 4.1 was deployed.  It’s an easy to use product that does exactly what’s required.

Registering the KMS in VMware vSphere

VMware vCenter supports the KMIP standard (VMware have certified a number of products) for connected KMS servers.  In the case of our HyTrust KeyControl appliance, we have to enable the KMIP server service and set the protocol to version 1.1.

image

We also need to set up a service User account on here.  It’s important not to set a password for this account.  We’re using certificates to authenticate and setting a password prevents vSphere from using the account with the HyTrust solution.  We download the SSL certificate for the user (this is a ZIP file containing the CA certificate and user certificate as PEM files).

Logged on as an administrator in the VMware vCenter Web Client, we open up the configuration of the vCenter server and add our KMS:

image

We enter a name for the cluster and the details for the first node (we can add other nodes under this cluster later).  The port is 5696 for most solutions.  

We then have to trust the certificate for the Server:

image

At this point, we have the configuration, but it’s yet to establish a trusted connection.  We need to establish the trust using the menu option below:

image

There are a few ways of achieving this (see the screenshot below), but we’ll be uploading the certificates snagged earlier:

image

In our case, we upload the User PEM twice:

image

And, voila, we’re ready to go forth and enable vSAN encryption

image

Enabling VMware vSAN Encryption

Here’s the easy bit.  We’ll assume that you already have vSAN up and running and will be enabling vSAN encryption.  If this is a pre-existing cluster, remember to leave room in the cluster to accommodate the emptying and reformatting of a host.  This operation will temporarily remove a host from the cluster as the disk formatting is changed.

We open the Cluster Configuration and select vSAN>General.

image

Edit the settings to enable Encryption.  We can erase the disks before use if we wish, but the key item is selecting the KMS server and clicking OK.  Allowing reduced redundancy reduces the number of VM data moves while the process to encrypt is under way.

image

At this point the cluster will reconfigure, enabling de-duplication.  This can take a little while so be patient. And that’s it done.

image

Closing Thoughts

This is a relatively simple feature to enable, providing a measure of data security for little effort.

If you’re considering developing a VMware vSAN based estate and need assistance, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with strengths in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2018.

xtraCBrown virtualisation virtualization cloud vSAN VMware Encryption vSphere

See more posts like this on Tumblr

#xtraCBrown #virtualisation #virtualization #cloud #vSAN #VMware #Encryption #vSphere