I have couple of queries on vSAN. I made good efforts to locate any relevant information however was not satisfied with the results. Below are my questions
Though I understand vSAN Encryption is data at rest encryption, all I'm trying to investigate any possible threats.
You are correct. So if you backup from your PROD vSAN encrypted cluster, you can still restore the VMs to your DR site running on other storage or a different vSAN cluster.
As far as the DEK, this key is not associated to a VM in vSAN Encryption, but to a disk in vSAN instead. Each disk in the cluster has a unique DEK. The KEK from KMS is used to encrypt the DEK.
Hi Techstarts,
From a backup perspective, the backup software is unaware of vSAN Encryption. Whether vSAN encryption is enabled/disabled at backup and viceversa on restore, the process works the same way as if there was no encryption at all. The behavior is different for VM backup where the data is encryption in-flight; however, this prevents some storage features from working such as dedupe/compression because the VM is encrypted.
I have done extensive testing with different scenarios with Veeam Encryption + vSAN Encryption and was not able to "break" it.
vSAN encryption is encryption at rest, and it is done when the data is being written to disk. So it may look and feel as if backups/restores are un-encrypted, but if you take a disk out, it will be encrypted, and unreadable. You can certainly use it in combination with software backup encryption, and let the backup software take care of the backup encryption. You can also use both vSAN encryption, and VM encryption (on different storage), leveraging the same KMS.
Hi GreatWhiteTec,
To repeat what I understood from your response
=> Backup software is transparent to vSAN encryption. It is irrelevant for backup software to know if the VM is encrypted or not. But potentially dedupe backup store may not be efficient.
=> You potential end up in double encryption. 1) vSAN Encryption 2) Backup encryption. As encryption/decryption do not have to happen, the time is same as backup or restore of any normal VM
=> This question is answered above
=> Backup software is transparent to vSAN encryption. It is irrelevant for backup software to know if the VM is encrypted or not. But potentially dedupe backup store may not be efficient. With vSAN Encryption dedupe/compression is not affected, BUT with VM encryption (vSphere) dedupe/compression will not take place.
=> You potential end up in double encryption. 1) vSAN Encryption 2) Backup encryption. As encryption/decryption do not have to happen, the time is same as backup or restore of any normal VM.
Yes, but the double encryption is not on the same place, unless you are encrypting backups on an encrypted enabled vSAN cluster as a target storage. So, if your backup target is an external storage and you decide to encrypt them, your backups will be encrypted on the external storage, and your original VMs are encrypted on vSAN. The vSAN encryption doesn't follow the VM when you back it up to an external storage.
=> This question is answered above
Thank you for your insightful comments and advice.
It is much clear now.
Since vSAN encryption do not follow the VM, is it possible to restore this VM on any non-encrypted vSAN datastore? I think it is, As backup software will restore it as another file and since there is no DEK associated with VM it will work. unless I'm wrong.
You are correct. So if you backup from your PROD vSAN encrypted cluster, you can still restore the VMs to your DR site running on other storage or a different vSAN cluster.
As far as the DEK, this key is not associated to a VM in vSAN Encryption, but to a disk in vSAN instead. Each disk in the cluster has a unique DEK. The KEK from KMS is used to encrypt the DEK.
Thanks a lot for final inputs. One can build a good blog article out of this post which I'm planning very soon.
I marked each of your response as Helpful.