Hi Great community!
I am studying for vSAN, and now I am on the pre-stage to learn vSAN encryption however it seem to be diffcult to understand it in the beginning so I would highly appreciate if you can guide me from where to start so I can continue learning vSAN encryption, keys ,KEK, DEK KMS so on all of that stuff
Thanks you very much in advance for your help
Hello İlyas,
*really* brief summary of it is:
- vSAN encrypts data at the Disk-Group level with data at rest (as opposed to encrypting in flight or between points).
- ESXi hosts require their Key Encryption Keys to be able to access their Disk-Groups, otherwise these are unavailable - this is the main reason to NEVER store your KMS on the vsanDatastore that it is providing this service to (as this can result in the KMS being unavailable because you can't mount the Disk-Groups because you don't have the KEK because you don't have access to the KMS and so on).
- Communication of encryption key information goes directly from the hosts to the KMS (as opposed to VMware VM Encryption that requires vCenter to access the keys).
- Storage performance overhead/penalty from using vSAN Encryption is minimal but CPU overhead should be factored in for sizing with guideline being 5-15% utilisation.
- More likely to benefit from space savings from vSAN dedupe & compression when using vSAN encryption as opposed to vSphere VM encryption.
Aswell as what Joerg advised to read, some other good information can be found here:
vSAN Data Encryption at Rest | VMware
Bob
Start reading How vSAN Encryption Works
Regards,
Joerg
Hello İlyas,
*really* brief summary of it is:
- vSAN encrypts data at the Disk-Group level with data at rest (as opposed to encrypting in flight or between points).
- ESXi hosts require their Key Encryption Keys to be able to access their Disk-Groups, otherwise these are unavailable - this is the main reason to NEVER store your KMS on the vsanDatastore that it is providing this service to (as this can result in the KMS being unavailable because you can't mount the Disk-Groups because you don't have the KEK because you don't have access to the KMS and so on).
- Communication of encryption key information goes directly from the hosts to the KMS (as opposed to VMware VM Encryption that requires vCenter to access the keys).
- Storage performance overhead/penalty from using vSAN Encryption is minimal but CPU overhead should be factored in for sizing with guideline being 5-15% utilisation.
- More likely to benefit from space savings from vSAN dedupe & compression when using vSAN encryption as opposed to vSphere VM encryption.
Aswell as what Joerg advised to read, some other good information can be found here:
vSAN Data Encryption at Rest | VMware
Bob