Leakage of confidential business information can become a true disaster for any company. Therefore, data security is an issue of prime importance for most of companies. Organizing an IT infrastructure, administrators’ top question is how to warrant a secure storage to keep sensitive business information.
In this article, I suggest having a closer look at a relatively recent method of ensuring data security , best practices and more – VMware virtual machines encryption that can become a good remedy against intruders for your organization.
Encrypting virtual machines (VMs) is an important step organizations take to protect their confidential applications and data. Encryption is a mechanism used to protect data by transforming it into an unreadable format, so that it is completely private from anyone not explicitly approved to read it through decryption.
Gaining access to encrypted information requires a person or application to possess the “key” to open the encryption formula and convert the data back to its original readable format. In this way, encryption provides a fail-safe mechanism, whereby, if all other cybersecurity measures fail and data is stolen, the information is still protected because it is unreadable and, therefore, useless to the person or machine trying to access it. The data remains secure and compliant. VMware provides several options for deploying encryption functionality.
In spite of its ability to secure VMs against unauthorized use, VM-level encryption has been a slow starter, in large part due to bugs in the system. VMware hopes to smooth out these kinks with its own VM Encryption tool, included in vSphere 6.5
VSphere 6.5 VM Encryption doesn't occur within the guest OS, but rather at the hypervisor of Virtual Machine File System level. This way, there's nothing to install in the guest OS in either Windows or Linux.
With vSphere Virtual Machine Encryption, you can create encrypted virtual machines and encrypt existing virtual machines. Because all virtual machine files with sensitive information are encrypted, the virtual machine is protected. Only administrators with encryption privileges can perform encryption and decryption tasks. - source
Two types of keys are used for encryption.
vSphere Virtual Machine Encryption supports encryption of virtual machine files, virtual disk files, and core dump files.
All VM files -- including Virtual Machine Disk files, virtual machine executable (VMX) configuration files, snapshot files and VMX swap files -- are stored in folders. All files stored in folders are encrypted.
Encryption is managed by the hypervisor, rather than the guest VM, which means the keys are not exploitable through the VM's memory.
VM encryption is implemented based on the AES-NI algorithm. Key management is organized according to the KMIP 1.1 standard. Encryption of VM objects takes place at the host level. Therefore, guest OS does not have access to encryption keys. Encrypted virtual machines move between ESXi hosts by means of an encrypted vMotion.
With VMware VM encryption, encryptable and not-encryptable virtual machine data are as follows:
VM files | Log files |
Virtual disk files | VM configuration files |
Host core dump files | Virtual disk descriptor files |
To start with, let’s break down the three major VMware VM components:
Important note: vCenter does not store and does not save KMS keys, it keeps the list of key identifiers only.
Note 2: It’s also good to know if your processor supports a set of AES-NI instructions, then encryption and decryption operations will be processed faster.
Now that we know how VM encryption works with VMware, let’s take a closer look at some scenarios you should keep in mind if things go wrong.
The keys that have encrypted the host data will be deleted from the host memory after the reboot. However, the keys will be retrieved from KMS by the identifier and will be transferred to the host via vCenter as soon as the host reconnects to vCenter.
Virtual machines and hosts will work as usual because the encryption key is saved to the host memory cache. If vCenter is…“dead”, recover it from a backup. If you don’t have a backup, install a new vCenter and reconnect it to KMS.
Recover the KMS from a backup as soon as possible. KMS takes the first place by the accessibility priority after you opt for encryption in your infrastructure. Loss of KMS is a risk with the highest priority. It can result in a total loss of data and perhaps your whole business!
More recommendations on what to consider when implementing encryption are available at the official VMware web-site.
To turn on the VM encryption, change Storage Policy to Encryption Policy in the VM.
To turn off, change Storage Policy from Encryption Policy to any other.
Do backups of KMS, vCenter and virtual machines. | Don’t encrypt vCenter Server Appliance. |
Deploy KMS at a separate host. | Don’t edit VMX and VMDK files. These files include an encryption pattern. The changes might make virtual machine recovery impossible. |
Build a KMS cluster from 2-3 hosts. | |
Install KMS to a public cloud, e.g. Amazon or Azure, for the sake of disaster resiliency. |
Follow these general best practices to avoid problems.
Set up policies on backup and restore operations.
Data has become too valuable as an asset for the business to ever ignore its security. To date, encryption at a virtual level might be the most reliable way to store and manage your important information. Here, I’ve given a deeper insight of what VMware VM encryption is, how it works as well as what to consider to mitigate your risks. Hope, I’ve inspired you to use encryption as a method of data security.
Thanks
Maria.K
Web Security Expert
@WP Hacked Help [ Security Blog ]