VMware Cloud Community
mc1903cae
Enthusiast
Enthusiast
Jump to solution

vSphere VM Encryption on vSAN standard edition. Possible/Supported?

Quick Question - "Is whole VM encryption possible/supported on a unencrypted vSAN datastore?"

I am looking at a situation where the client has already deployed vSphere 6.5 U1 with both vSAN 6.6 hybrid (standard edition license) and traditional iSCSI datastores, where encryption is now required.

Data-at-rest encryption on the traditional array, whilst supported by the vendor, is not feasible at this time as not all disks are SED and the investment to replace them to the same capacity/performance is way to expensive.

Upgrading to vSAN Enterprise licensing also has a significant cost and it would still leave the VM's on the traditional datastores unencrypted.

I would like to implement a supported Key Management Server (Gemalto Keysecure) and just encrypt the VM's (and their virtual disks) that reside on either type of datastore.

It sounds to simple - Am I missing something?

Thanks

Martin

Tags (3)
1 Solution

Accepted Solutions
TheBobkin
Champion
Champion
Jump to solution

Hello Martin,

Sorry there, bit of confusion in which you were referring to.

Is the vSphere licensing in use here also Standard too?

VM Encryption is vSphere Enterprise Plus only feature:

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vsphere/vmw-flyr-comparevsphereedi...

Yes, you can use VM encryption on vSAN datastore, though is not an ideal situation (which is why vSAN encryption was developed) as Duncan covered here:

http://www.yellow-bricks.com/2016/11/07/the-difference-between-vm-encryption-in-vsphere-6-5-and-vsan...

More performance info  when using VM Encryption (including specific info to vSAN):

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vm-encryption-vsphere65-...

Bob

View solution in original post

Reply
0 Kudos
11 Replies
TheBobkin
Champion
Champion
Jump to solution

Hello Martin,

Unfortunately the Data-at-Rest Encryption feature is only available in Enterprise and Enterprise for ROBO editions of vSAN:

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vsan/vmware-vsan-66-licen...

Yes, though it is as easy as configure a KMS and enable encryption on the cluster.

Bob

Reply
0 Kudos
mc1903cae
Enthusiast
Enthusiast
Jump to solution

Thankyou TheBobkin

I appreciate that data-at-rest (DAR) encryption on vSAN is an Enterprise license feature, but from what I understand of vSphere 'whole VM' encryption is that it does not require the underlying storage to also be encrypted?

I want to encrypt the VM not the datastore/storage?

From the vSphere 6.5: VM and vSAN Encryption FAQ (vSphere Central)

Which encryption solution should I choose? VM Encryption or vSAN encryption?

It's not either/or. It's workload and customer dependent. If you don't have vSAN the choice is easy. For others that might have both block or NFS storage AND vSAN, they may choose to use both.

This statement is not clear enough for me. Can I choose to only use VM encryption on a vSAN datastore without enabling vSAN DAR encryption as well?

I would love Duncan Epping @DuncanYB to respond - nothing better than hearing it from the horse's mouth so to speak!

Cheers

Martin

Reply
0 Kudos
TheBobkin
Champion
Champion
Jump to solution

Hello Martin,

Sorry there, bit of confusion in which you were referring to.

Is the vSphere licensing in use here also Standard too?

VM Encryption is vSphere Enterprise Plus only feature:

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vsphere/vmw-flyr-comparevsphereedi...

Yes, you can use VM encryption on vSAN datastore, though is not an ideal situation (which is why vSAN encryption was developed) as Duncan covered here:

http://www.yellow-bricks.com/2016/11/07/the-difference-between-vm-encryption-in-vsphere-6-5-and-vsan...

More performance info  when using VM Encryption (including specific info to vSAN):

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vm-encryption-vsphere65-...

Bob

Reply
0 Kudos
mc1903cae
Enthusiast
Enthusiast
Jump to solution

Hello Bob,

My fault, I was unclear about versions/editions.

     vSphere 6.5 is using Enterprise Plus license edition.

     vSAN 6.6 is using Standard license edition.

I had not seen Duncan's article, but from what I read I should be able to implement it in the way I initially thought I could.

The vSAN is a hybrid configuration, so I am not using deduplication - the "No/near zero dedupe" with VM Encryption (VAIO) is not a concern.

I did not want to implement it, have a problem and then get told by GSS that I had an unsupportable configuration.

I am just testing this in a HOL; as seeing is believing.

I really appreciate your help today.

Cheers

Martin

Reply
0 Kudos
MAlexander20111
Contributor
Contributor
Jump to solution

Did you ever receive a true answer on this? 

We are also looking to do the same, but I run into the issue that the encryption policy says the vSAN datastore is incompatible.

-Mike

Reply
0 Kudos
mc1903cae
Enthusiast
Enthusiast
Jump to solution

MAlexander201110141

Hi Mike,

Yes, I did... I implemented VM Encryption on a hybrid vSAN, with a non-encrypted datastore, using vSphere 6.5 U1.

I used vSphere 6.x Enterprise Plus and vSAN Standard licensing.

Can you detail your setup?

  • vCenter Version/Build
  • ESXi Version/Build
  • KMS vendor/version
  • vSphere Licensing Edition
  • vSAN Licensing Edition
  • Hybrid or All Flash vSAN

Can you screenshot the error and associated Storage Policy?

M

Reply
0 Kudos
MAlexander20111
Contributor
Contributor
Jump to solution

Thank you for quick reply.

vCenter Standard license

vCenter Server appliance 6.5.0.10000  w/PSC

ESXi 6.5.0 10390116

KMS : Hytrust KeyControl 4.2.1

vSphere w/Ops Management Enterprise Plus

vSan Standard

Hybrid vSAN  (on dedicated standard switch 10Gb)

I open the default VM Encryption Policy and check storage compatibility and vSAN datastore is in the incompatible section: reason: “Datastore does not match current VM policy.”

I have also tried cloning the default vSAN Policy and checking common rules, adding Default encryption properties.  same result

I have DRS and HA active (power Management OFF)

vSAN iSCSI:  disabled.

Thank you,

Mike

screenshots of Policy compatibility (note the second incompatible datastore is a phantom from removed SAN that I haven't called support to get rid of)

Screen Shot 2018-10-31 at 8.37.03 AM.pngScreen Shot 2018-10-31 at 8.37.12 AM.png

Screen Shot 2018-10-31 at 8.37.43 AM.png

vSAN is healthy:

Screen Shot 2018-10-31 at 8.54.15 AM.png

Reply
0 Kudos
mc1903cae
Enthusiast
Enthusiast
Jump to solution

MAlexander201110141

Mike,

Edited: Question: Are you using the unedited default "VM Encryption Policy" or have you edited it to include a vSAN rule-set? Sorry, just re-read your reply and you said you had cloned the default vSAN policy and added the Encryption common rules.

I just built a 3 node vSAN cluster to re-test this (the live cluster is on a client site and I have no access to it), using the following vCenter & ESXi versions/builds:

  • vCenter VCSA 6.5 U1g (8024368)
  • ESXi 6.5 U1 (5969303)

I created a new "VM Encryption on vSAN" policy that includes both the default encryption 'common rules' and a vSAN 'rule-set 1'.

Looks like this:

pastedImage_3.png

pastedImage_4.png

pastedImage_5.png

pastedImage_6.png

I created a new VM and applied this new storage policy to it.

pastedImage_8.png

pastedImage_9.png

Also, just to confirm that my vSAN is not encrypted:

pastedImage_13.png

I am going to try upgrading to 6.5 U2 and then 6.7 U1 incase that breaks this configuration, but that will take me a day or two.

All the best

M

Reply
0 Kudos
MAlexander20111
Contributor
Contributor
Jump to solution

Thanks for the update.

I am in process of building a lab to test it out clean as well.  though continuing with the 6.5u2 build that I already have.  if it does not work I will try with an earlier build.

-Mike

Reply
0 Kudos
MAlexander20111
Contributor
Contributor
Jump to solution

Works just fine in the lab using 6.5u2 iso. 

even after assigning vSAN standard license to make sure that change anything.

Appears to be something that happened in the production environment at some point.  Will try and get my case switched to another tech.

mc1903cae
Enthusiast
Enthusiast
Jump to solution

I upgraded the VCSA & 3 ESXi hosts in my test setup from 6.5 U1 through 6.5 U2 and then up to 6.7 U1 - all still works as expected.

Best of luck tracking your issue down.

M

Reply
0 Kudos