VMware Cloud Community
Techstarts
Expert
Expert
‎01-09-2018 08:27 PM
Jump to solution

vSAN Encryption Queries

I have couple of queries on vSAN. I made good efforts to locate any relevant information however was not satisfied with the results. Below are my questions

  • What is the backup support for vSAN encryption ?
  • When backup is done, I understand VM is decrypted then it is left with Backup vendor to encrypt. Is there a study on Decryption time ?
  • Now when VM is restored, it will be restored as decrypted VM right? so if a Rogue back admin choose to restore the VM he will always have access to VM.?

Though I understand vSAN Encryption is data at rest encryption, all I'm trying to investigate any possible threats.

With Great Regards,
0 Kudos
1 Solution

Accepted Solutions
GreatWhiteTec
VMware Employee
VMware Employee
‎01-12-2018 07:18 AM
Jump to solution

You are correct. So if you backup from your PROD vSAN encrypted cluster, you can still restore the VMs to your DR site running on other storage or a different vSAN cluster.

As far as the DEK, this key is not associated to a VM in vSAN Encryption, but to a disk in vSAN instead. Each disk in the cluster has a unique DEK. The KEK from KMS is used to encrypt the DEK.

pastedImage_0.png

View solution in original post

0 Kudos
6 Replies
GreatWhiteTec
VMware Employee
VMware Employee
‎01-10-2018 07:25 AM
Jump to solution

Hi Techstarts,

From a backup perspective, the backup software is unaware of vSAN Encryption. Whether vSAN encryption is enabled/disabled at backup and viceversa on restore, the process works the same way as if there was no encryption at all.  The behavior is different for VM backup where the data is encryption in-flight; however, this prevents some storage features from working such as dedupe/compression because the VM is encrypted.

I have done extensive testing with different scenarios with Veeam Encryption + vSAN Encryption and was not able to "break" it.

vSAN encryption is encryption at rest, and it is done when the data is being written to disk. So it may look and feel as if backups/restores are un-encrypted, but if you take a disk out, it will be encrypted, and unreadable. You can certainly use it in combination with software backup encryption, and let the backup software take care of the backup encryption. You can also use both vSAN encryption, and VM encryption (on different storage), leveraging the same KMS.

Techstarts
Expert
Expert
‎01-11-2018 01:21 AM
Jump to solution

Hi GreatWhiteTec,

To repeat what I understood from your response

  • What is the backup support for vSAN encryption ?

=> Backup software is transparent to vSAN encryption. It is irrelevant for backup software to know if the VM is encrypted or not. But potentially dedupe backup store may not be efficient.

  • When backup is done, I understand VM is decrypted then it is left with Backup vendor to encrypt. Is there a study on Decryption time ?

=> You potential end up in double encryption. 1) vSAN Encryption 2) Backup encryption. As encryption/decryption do not have to happen, the time is same as backup or restore of any normal VM

  • Now when VM is restored, it will be restored as decrypted VM right? so if a Rogue back admin choose to restore the VM he will always have access to VM.?

=> This question is answered above

With Great Regards,
0 Kudos
GreatWhiteTec
VMware Employee
VMware Employee
‎01-11-2018 06:48 AM
Jump to solution

  • What is the backup support for vSAN encryption ?

=> Backup software is transparent to vSAN encryption. It is irrelevant for backup software to know if the VM is encrypted or not. But potentially dedupe backup store may not be efficient.     With vSAN Encryption dedupe/compression is not affected, BUT with VM encryption (vSphere) dedupe/compression will not take place.

  • When backup is done, I understand VM is decrypted then it is left with Backup vendor to encrypt. Is there a study on Decryption time ?

=> You potential end up in double encryption. 1) vSAN Encryption 2) Backup encryption. As encryption/decryption do not have to happen, the time is same as backup or restore of any normal VM.

Yes, but the double encryption is not on the same place, unless you are encrypting backups on an encrypted enabled vSAN cluster as a target storage. So, if your backup target is an external storage and you decide to encrypt them, your backups will be encrypted on the external storage, and your original VMs are encrypted on vSAN. The vSAN encryption doesn't follow the VM when you back it up to an external storage.

  • Now when VM is restored, it will be restored as decrypted VM right? so if a Rogue back admin choose to restore the VM he will always have access to VM.?

=> This question is answered above

Techstarts
Expert
Expert
‎01-12-2018 05:29 AM
Jump to solution

Thank you for your insightful comments and advice.

It is much clear now.

Since vSAN encryption do not follow the VM, is it possible to restore this VM on any non-encrypted vSAN datastore? I think it is, As backup software will restore it as another file and since there is no DEK associated with VM it will work. unless I'm wrong.

With Great Regards,
GreatWhiteTec
VMware Employee
VMware Employee
‎01-12-2018 07:18 AM
Jump to solution

You are correct. So if you backup from your PROD vSAN encrypted cluster, you can still restore the VMs to your DR site running on other storage or a different vSAN cluster.

As far as the DEK, this key is not associated to a VM in vSAN Encryption, but to a disk in vSAN instead. Each disk in the cluster has a unique DEK. The KEK from KMS is used to encrypt the DEK.

pastedImage_0.png

0 Kudos
Techstarts
Expert
Expert
‎01-13-2018 08:09 AM
Jump to solution

Thanks a lot for final inputs. One can build a good blog article out of this post which I'm planning very soon. Smiley Happy

I marked each of your response as Helpful.

With Great Regards,
0 Kudos