VMware Cloud Community
SrVMwarer
Hot Shot
Hot Shot
‎12-27-2019 11:46 AM
Jump to solution

vSAN encryption - Where to start

Hi Great community!

I am studying for vSAN, and now I am on the pre-stage to learn vSAN encryption however it seem to be diffcult to understand it in the beginning so I would highly appreciate if you can guide me from where to start so I can continue learning vSAN encryption, keys ,KEK, DEK KMS so on all of that stuff

Thanks you very much in advance for your help

Regards, İlyas
Reply
0 Kudos
1 Solution

Accepted Solutions
TheBobkin
Champion
Champion
‎01-01-2020 07:29 AM
Jump to solution

Hello İlyas,

*really* brief summary of it is:

- vSAN encrypts data at the Disk-Group level with data at rest (as opposed to encrypting in flight or between points).

- ESXi hosts require their Key Encryption Keys to be able to access their Disk-Groups, otherwise these are unavailable - this is the main reason to NEVER store your KMS on the vsanDatastore that it is providing this service to (as this can result in the KMS being unavailable because you can't mount the Disk-Groups because you don't have the KEK because you don't have access to the KMS and so on).

- Communication of encryption key information goes directly from the hosts to the KMS (as opposed to VMware VM Encryption that requires vCenter to access the keys).

- Storage performance overhead/penalty from using vSAN Encryption is minimal but CPU overhead should be factored in for sizing with guideline being 5-15% utilisation.

- More likely to benefit from space savings from vSAN dedupe & compression when using vSAN encryption as opposed to vSphere VM encryption.

Aswell as what Joerg advised to read, some other good information can be found here:

vSAN Data Encryption at Rest | VMware

Bob

View solution in original post

Reply
2 Replies
IRIX201110141
Champion
Champion
‎12-28-2019 12:25 PM
Jump to solution

Start reading How vSAN Encryption Works

Regards,
Joerg

Reply
TheBobkin
Champion
Champion
‎01-01-2020 07:29 AM
Jump to solution

Hello İlyas,

*really* brief summary of it is:

- vSAN encrypts data at the Disk-Group level with data at rest (as opposed to encrypting in flight or between points).

- ESXi hosts require their Key Encryption Keys to be able to access their Disk-Groups, otherwise these are unavailable - this is the main reason to NEVER store your KMS on the vsanDatastore that it is providing this service to (as this can result in the KMS being unavailable because you can't mount the Disk-Groups because you don't have the KEK because you don't have access to the KMS and so on).

- Communication of encryption key information goes directly from the hosts to the KMS (as opposed to VMware VM Encryption that requires vCenter to access the keys).

- Storage performance overhead/penalty from using vSAN Encryption is minimal but CPU overhead should be factored in for sizing with guideline being 5-15% utilisation.

- More likely to benefit from space savings from vSAN dedupe & compression when using vSAN encryption as opposed to vSphere VM encryption.

Aswell as what Joerg advised to read, some other good information can be found here:

vSAN Data Encryption at Rest | VMware

Bob

Reply