VMware Cloud Community
offsidex
Contributor
Contributor
‎05-21-2018 05:04 AM

A couple vSAN encryption questions

Hello All,

I am currently evaluating the faisabilty of implementing vSAN encryption in our environment but I am unable to find documentation relating to the below:

- What is the impact of losing the KMS server

- What is the process  of replacing a failed disk on an encrypted vSAN datastore.

Can someone please point me to the right direction?

Regards

-A

0 Kudos
3 Replies
GreatWhiteTec
VMware Employee
VMware Employee
‎05-21-2018 05:52 AM

Hi Offsidex,

It is highly recommended to deploy KMS in an HA approach, preferably on different sites. KMS for vSAN encryption should not reside inside the vSAN cluster to be encrypted. Once the initial configuration has been done on vCenter for KMS, ESXi hosts do not require constant connection to the KMS server. So to answer your question, if you lose your KMS server temporarily, your hosts, VMs, drives will keep working as normal; unless you decided to reboot a host. During a host reboot, the vSAN node requests the KEK from KMS in order to access the drives within the vSAN cluster, if KMS is not available, the drives (and Disk Groups) will be offline until the KMS is back online.

Disk replacement is the same as without vSAN Encryption. When a drive is replaced, vSAN is smart enough to know that vSAN encryption is enabled and that it needs to format the new drive to meet the encryption requirement, also creates a unique DEK for that drive.

You can find more info at storagehub.vmware.com  Data at Rest Encryption

0 Kudos
offsidex
Contributor
Contributor
‎05-21-2018 06:23 AM

Thank you for your respone GreatWhiteTec, that confirmed my thinking.

Once last question regarding the disk failures, Am I correct in assuming that the whole disk group will need to be removed, disk replaced, then disk group re-created?

0 Kudos
GreatWhiteTec
VMware Employee
VMware Employee
‎05-21-2018 06:54 AM

Some background info: The configuration for vSAN Encryption is Cluster wide. The KEK from KMS is passed to hosts. Each disk on every Disk Group has their unique Data Encryption Key (DEK) wrapped with the Key Encryption Key (KEK) from KMS. When a disk fails, and it is replaced, the reformat is done at the disk level and not the Disk group level, so you shouldn't have to recreate disk groups if a capacity device fails (no Dedupe/compression enabled). For other scenarios, such as cache devices, the current disk operations apply. So if the cache device fails, you will recreate the DG in that case.

Like I mentioned before, disk operations remain the procedure with or without encryption. The only change is the device re-format and DEK generation if vSAN encryption is enabled, but that is transparent to the user.

Disk Operations

0 Kudos