Quick Question - "Is whole VM encryption possible/supported on a unencrypted vSAN datastore?"
I am looking at a situation where the client has already deployed vSphere 6.5 U1 with both vSAN 6.6 hybrid (standard edition license) and traditional iSCSI datastores, where encryption is now required.
Data-at-rest encryption on the traditional array, whilst supported by the vendor, is not feasible at this time as not all disks are SED and the investment to replace them to the same capacity/performance is way to expensive.
Upgrading to vSAN Enterprise licensing also has a significant cost and it would still leave the VM's on the traditional datastores unencrypted.
I would like to implement a supported Key Management Server (Gemalto Keysecure) and just encrypt the VM's (and their virtual disks) that reside on either type of datastore.
It sounds to simple - Am I missing something?
Thanks
Martin
Hello Martin,
Sorry there, bit of confusion in which you were referring to.
Is the vSphere licensing in use here also Standard too?
VM Encryption is vSphere Enterprise Plus only feature:
Yes, you can use VM encryption on vSAN datastore, though is not an ideal situation (which is why vSAN encryption was developed) as Duncan covered here:
More performance info when using VM Encryption (including specific info to vSAN):
Bob
Hello Martin,
Unfortunately the Data-at-Rest Encryption feature is only available in Enterprise and Enterprise for ROBO editions of vSAN:
Yes, though it is as easy as configure a KMS and enable encryption on the cluster.
Bob
Thankyou TheBobkin
I appreciate that data-at-rest (DAR) encryption on vSAN is an Enterprise license feature, but from what I understand of vSphere 'whole VM' encryption is that it does not require the underlying storage to also be encrypted?
I want to encrypt the VM not the datastore/storage?
From the vSphere 6.5: VM and vSAN Encryption FAQ (vSphere Central)
Which encryption solution should I choose? VM Encryption or vSAN encryption?
It's not either/or. It's workload and customer dependent. If you don't have vSAN the choice is easy. For others that might have both block or NFS storage AND vSAN, they may choose to use both.
This statement is not clear enough for me. Can I choose to only use VM encryption on a vSAN datastore without enabling vSAN DAR encryption as well?
I would love Duncan Epping @DuncanYB to respond - nothing better than hearing it from the horse's mouth so to speak!
Cheers
Martin
Hello Martin,
Sorry there, bit of confusion in which you were referring to.
Is the vSphere licensing in use here also Standard too?
VM Encryption is vSphere Enterprise Plus only feature:
Yes, you can use VM encryption on vSAN datastore, though is not an ideal situation (which is why vSAN encryption was developed) as Duncan covered here:
More performance info when using VM Encryption (including specific info to vSAN):
Bob
Hello Bob,
My fault, I was unclear about versions/editions.
vSphere 6.5 is using Enterprise Plus license edition.
vSAN 6.6 is using Standard license edition.
I had not seen Duncan's article, but from what I read I should be able to implement it in the way I initially thought I could.
The vSAN is a hybrid configuration, so I am not using deduplication - the "No/near zero dedupe" with VM Encryption (VAIO) is not a concern.
I did not want to implement it, have a problem and then get told by GSS that I had an unsupportable configuration.
I am just testing this in a HOL; as seeing is believing.
I really appreciate your help today.
Cheers
Martin
Did you ever receive a true answer on this?
We are also looking to do the same, but I run into the issue that the encryption policy says the vSAN datastore is incompatible.
-Mike
MAlexander201110141
Hi Mike,
Yes, I did... I implemented VM Encryption on a hybrid vSAN, with a non-encrypted datastore, using vSphere 6.5 U1.
I used vSphere 6.x Enterprise Plus and vSAN Standard licensing.
Can you detail your setup?
Can you screenshot the error and associated Storage Policy?
M
Thank you for quick reply.
vCenter Standard license
vCenter Server appliance 6.5.0.10000 w/PSC
ESXi 6.5.0 10390116
KMS : Hytrust KeyControl 4.2.1
vSphere w/Ops Management Enterprise Plus
vSan Standard
Hybrid vSAN (on dedicated standard switch 10Gb)
I open the default VM Encryption Policy and check storage compatibility and vSAN datastore is in the incompatible section: reason: “Datastore does not match current VM policy.”
I have also tried cloning the default vSAN Policy and checking common rules, adding Default encryption properties. same result
I have DRS and HA active (power Management OFF)
vSAN iSCSI: disabled.
Thank you,
Mike
screenshots of Policy compatibility (note the second incompatible datastore is a phantom from removed SAN that I haven't called support to get rid of)
vSAN is healthy:
MAlexander201110141
Mike,
Edited: Question: Are you using the unedited default "VM Encryption Policy" or have you edited it to include a vSAN rule-set? Sorry, just re-read your reply and you said you had cloned the default vSAN policy and added the Encryption common rules.
I just built a 3 node vSAN cluster to re-test this (the live cluster is on a client site and I have no access to it), using the following vCenter & ESXi versions/builds:
I created a new "VM Encryption on vSAN" policy that includes both the default encryption 'common rules' and a vSAN 'rule-set 1'.
Looks like this:
I created a new VM and applied this new storage policy to it.
Also, just to confirm that my vSAN is not encrypted:
I am going to try upgrading to 6.5 U2 and then 6.7 U1 incase that breaks this configuration, but that will take me a day or two.
All the best
M
Thanks for the update.
I am in process of building a lab to test it out clean as well. though continuing with the 6.5u2 build that I already have. if it does not work I will try with an earlier build.
-Mike
Works just fine in the lab using 6.5u2 iso.
even after assigning vSAN standard license to make sure that change anything.
Appears to be something that happened in the production environment at some point. Will try and get my case switched to another tech.
I upgraded the VCSA & 3 ESXi hosts in my test setup from 6.5 U1 through 6.5 U2 and then up to 6.7 U1 - all still works as expected.
Best of luck tracking your issue down.
M