Skip navigation

My Vmware Blog

3 posts

FireShot Screen Capture #009 - 'VMware Cloud Foundation comes to Google Cloud I Google Cloud Blog' - cloud_google_com.png

Google Cloud has said that their enterprise customers repeatedly tell them how important it is to get their priority workloads running in the cloud. These priority workloads include several commonly utilized enterprise solutions, like those offered by SAP and Oracle, and virtualization solutions from VMware.

 

On behalf of WP hacked help, we are excited to announce that Google Cloud will begin supporting VMware workloads. It’s another significant step as Google strives to better serve enterprise customers and its a step forward to a more secure infrastructure.

 

Both Google Cloud and VMware believe that customers want to run workloads in the cloud that works best for them. Google Cloud is committed to offering solutions that let their customers to do just that. Customers have asked them to provide broad support for VMware, and now with Google Cloud VMware Solution by CloudSimple, their customers will be able to run VMware vSphere-based workloads in GCP.

 

This brings customers a wide breadth of choices for how to run their VMware workloads in a hybrid deployment, from modern containerized applications with Anthos to VM-based applications with VMware in GCP.

 

“Our partnership with Google Cloud has always been about addressing customers’ needs, and we’re excited to extend the partnership to enable our mutual customers to run VMware workloads on VMware Cloud Foundation in Google Cloud Platform,” said Sanjay Poonen, chief operating officer, customer operations at VMware.

 

“With VMware on Google Cloud Platform, customers will be able to leverage all of the familiarity and investment protection of VMware tools and training as they execute on their cloud strategies, and rapidly bring new services to market and operate them seamlessly and more securely across a hybrid cloud environment.”

 

This new solution will leverage VMware software-defined data center (SDCC) technologies including VMware vSphere, NSX and vSAN software deployed on a platform administered by CloudSimple for GCP. This means customers will be able to migrate VMware workloads to a VMware SDDC running in GCP, benefiting from GCP strengths such as  performant, secure, global and scalable infrastructure and leading data analytics, AI and ML capabilities. Users will have full, native access to the full VMware stack including vCenter, vSAN and NSX-T.

 

Google Cloud will provide the first line of support, working closely with CloudSimple to help ensure customers receive a streamlined product support experience and that their business-critical applications are supported with the

 

SLAs that enterprise customers need.

 

This collaboration builds on a history of partnership with VMware. Over the course of our partnership, we’ve delivered integrated solutions including:

Google Cloud is committed to working closely with our partners to deliver the solutions and products customers need to solve business issues and innovate in new areas. In partnership with VMware, Google is committed to making Google Cloud the best place to run VMware workloads.

 

Google Cloud VMware Solution by CloudSimple will be available on the Google Cloud Marketplace later this year. Interested customers can sign up to receive updates here

Leakage of confidential business information can become a true disaster for any company. Therefore, data security is an issue of prime importance for most of companies. Organizing an IT infrastructure, administrators’ top question is how to warrant a secure storage to keep sensitive business information safe and free from hackers. Web security for small businesses has become no.1 priority in 2019 and beyond.

 

In this article, I suggest having a closer look at a relatively recent method of ensuring data security – VMware virtual machines encryption that can become a good remedy against intruders for your organization.

Some theory to consider

 

VMware VM encryption is quite recent innovation that first emerged in VMware vSphere 6.5.

 

VM encryption is implemented based on the AES-NI algorithm. Key management is organized according to the KMIP 1.1 standard. Encryption of VM objects takes place at the host level. Therefore, guest OS does not have access to encryption keys. Encrypted virtual machines move between ESXi hosts by means of an encrypted vMotion.

 

With VMware VM encryption, encryptable and not-encryptable virtual machine data are as follows:

 

EncryptableNot-encryptable

VM files

Log files

Virtual disk files

VM configuration files

Host core dump files

Virtual disk descriptor files

 

How VMware VM encryption works

 

To start with, let’s break down the three major VMware VM components:

 

  • Key Management Server (KMS) is a server for managing keys. VMware uses KMS to generate and save keys. Later, it sends keys to vCenter. It is possible to use external systems that work following the KMIP standard as KMS. You can find VMware-certified KMS listed in this file.
  • Key Encryption Key (KEK) is an encryption key generated and sent over to vCenter by KMS. vCenter, in its turn, sends KEK to ESXi hosts. KEK deploys the AES-256 encryption algorithm.
  • Data Encryption Key (DEK) is an encryption key generated by an ESXi host. It is used for encryption/decryption of virtual machines. DEK deploys the XTS-AES-256 encryption algorithm.
  • After KEK is generated, KMS saves the key on its side and sends it over to vCenter for distribution.
  • Upon the KEK receipt from KMS, vCenter sends over the key to the ESXi host.
  • Upon the KEK receipt from vCenter, the ESXi host uses it to encrypt the DEK.
  • After encryption, the ESXi host saves the encrypted key at its memory cache The ESXi host is responsible for these functions:
  • Encryption of VM disks
  • Sending encrypted guest data to encrypted virtual machines via network

Important note: vCenter does not store and does not save KMS keys, it keeps the list of key identifiers only.

Note 2: It’s also good to know if your processor supports a set of AES-NI instructions, then encryption and decryption operations will be processed faster.

Some risk management

Now that we know how VM encryption works with VMware, let’s take a closer look at some scenarios you should keep in mind if things go wrong.

Scenario 1. What if the host has been rebooted?

 

The keys that have encrypted the host data will be deleted from the host memory after the reboot. However, the keys will be retrieved from KMS by the identifier and will be transferred to the host via vCenter as soon as the host reconnects to vCenter.

Scenario 2. What if vCenter is unavailable?

 

Virtual machines and hosts will work as usual because the encryption key is saved to the host memory cache. If vCenter is…“dead”, recover it from a backup. If you don’t have a backup, install a new vCenter and reconnect it to KMS.

Scenario 3. What if KMS server is unavailable?

 

Recover the KMS from a backup as soon as possible. KMS takes the first place by the accessibility priority after you opt for encryption in your infrastructure. Loss of KMS is a risk with the highest priority. It can result in a total loss of data and perhaps your whole business!

More recommendations on what to consider when implementing encryption are available at the official VMware web-site.

To turn on the VM encryption, change Storage Policy to Encryption Policy in the VM.

To turn off, change Storage Policy from Encryption Policy to any other.

Сhange Storage Policy from Encryption Policy

My DOs and DON’Ts advice

 

DODON’T

Do backups of KMS, vCenter and virtual machines.

Don’t encrypt vCenter Server Appliance.

Deploy KMS at a separate host.

Don’t edit VMX and VMDK files. These files include an encryption pattern. The changes might make virtual machine recovery impossible.

Build a KMS cluster from 2-3 hosts.

Install KMS to a public cloud, e.g. Amazon or Azure, for the sake of disaster resiliency.

 

Conclusion

 

Data has become too valuable as an asset for the business to ever ignore its security. To date, encryption at a virtual level might be the most reliable way to store and manage your important information. Here, I’ve given a deeper insight of what VMware VM encryption is, how it works as well as what to consider to mitigate your risks. Hope, I’ve inspired you to use encryption as a method of data security.

 

Thanks

Security Advisor @WP Hacked Help

"Wordpress Security Services at it's best"

larsonreever Novice

Welcome to my blog

Posted by larsonreever Jul 25, 2019

Cheers ladies & gentlemen, welcome on my blog! Here, I share my experience and tips & hints on virtualization technologies.