VMware Beta Community
m1gu3l
Enthusiast
Enthusiast
‎10-17-2023 12:47 AM
Jump to solution

Deep recrypt

In Bring Your Own Encryption, when going to a key provider, selecting an OrgVDC and performing the "Change Key" operation, we have observed in vSphere that only a shallow recrypt (i.e., at KEK level) of the VMs is performed.

Is there a way to perform a deep recrypt (i.e., KEK + DEK)? If not, will it be included in the GA version or future versions of the add-on?

Thanks,

Miguel

Labels (2)
Labels
1 Solution

Accepted Solutions
jeffmace
VMware Employee
VMware Employee
‎10-17-2023 10:06 AM
Jump to solution

Posting for Radostin:

Hi and thanks for your question! Yes, you are right with your observation - “Change Key” always performs shallow re-encrypt on the existing virtual machines (VMs) in the Org VDC. All newly created virtual machines in an Org VDC which under BYOE control will be fully encrypted with the key specified by the tenant admin.

We are planning to introduce Deep Re-encrypt on a per VM basis. The operation will have a number of prerequisites which come from vCenter: the VM needs to be powered off, it must not have snapshots, etc. We plan to introduce this feature either with the GA or with one of the first BYOE releases afterwards.

Please confirm what is the importance of this use case for you?
-Radostin

View solution in original post

0 Kudos
7 Replies
rtsanev
VMware Employee
VMware Employee
‎10-17-2023 05:38 AM
Jump to solution

Hi @m1gu3l and thanks for your question! Yes, you are right with your observation that with the tech preview only shallow encryption is being performed.

We are planning to introduce Deep Encrypt on a per-VM basis. It will have a number of requirements which come from vCenter: the VM needs to be powered off and it must not have snapshots in order to be able to perform the action. We are planning to introduce this feature either with the GA or one of the very first releases afterwards.

Can you please confirm what is the importance of this feature for you?

-Radostin

0 Kudos
rtsanev
VMware Employee
VMware Employee
‎10-17-2023 05:42 AM
Jump to solution

Hi @m1gu3l and thanks for your question! Yes, you are right with your observation that with the tech preview only shallow re-encrypt is performed.

We are planning to introduce Deep Re-encrypt on a per VM basis. The operation will have a number of prerequisites which come from vCenter: the VM needs to be powered off and it must not have snapshots. We plan to introduce this feature either with the GA or with one of the first BYOE releases afterwards.

Please confirm what is importance of this use case for you?

-Radostin

0 Kudos
rtsanev
VMware Employee
VMware Employee
‎10-17-2023 05:43 AM
Jump to solution

Hello and thanks for your question! Yes, you are right with your observation that with the tech preview only shallow re-encrypt is performed.

We are planning to introduce Deep Re-encrypt on a per VM basis. The operation will have a number of prerequisites which come from vCenter: the VM needs to be powered off and it must not have snapshots. We plan to introduce this feature either with the GA or with one of the first BYOE releases afterwards.

Please confirm what is importance of this use case for you?

-Radostin

0 Kudos
rtsanev
VMware Employee
VMware Employee
‎10-17-2023 05:48 AM
Jump to solution

Hi @m1gu3l and thanks for your question! Yes, you are right with your observation that with the tech preview only shallow re-encrypt is performed.

We are planning to introduce Deep Re-encrypt on a per VM basis. The operation will have a number of prerequisites which come from vCenter: the VM needs to be powered off and it must not have snapshots. We plan to introduce this feature either with the GA or with one of the first BYOE releases afterwards.

Please confirm what is importance of this use case for you?

-Radostin

0 Kudos
nikolay_andreev
VMware Employee
VMware Employee
‎10-17-2023 08:37 AM
Jump to solution

Hi Miguel and thanks for your question! Yes, you are right with your observation - “Change Key” always performs shallow re-encrypt on the existing virtual machines (VMs) in the Org VDC. All newly created virtual machines in an Org VDC which under BYOE control will be fully encrypted with the key specified by the tenant admin.We are planning to introduce Deep Re-encrypt on a per VM basis. The operation will have a number of prerequisites which come from vCenter: the VM needs to be powered off, it must not have snapshots, etc. We plan to introduce this feature either with the GA or with one of the first BYOE releases afterwards. Please confirm what is the importance of this use case for you?

0 Kudos
jeffmace
VMware Employee
VMware Employee
‎10-17-2023 10:06 AM
Jump to solution

Posting for Radostin:

Hi and thanks for your question! Yes, you are right with your observation - “Change Key” always performs shallow re-encrypt on the existing virtual machines (VMs) in the Org VDC. All newly created virtual machines in an Org VDC which under BYOE control will be fully encrypted with the key specified by the tenant admin.

We are planning to introduce Deep Re-encrypt on a per VM basis. The operation will have a number of prerequisites which come from vCenter: the VM needs to be powered off, it must not have snapshots, etc. We plan to introduce this feature either with the GA or with one of the first BYOE releases afterwards.

Please confirm what is the importance of this use case for you?
-Radostin

0 Kudos
m1gu3l
Enthusiast
Enthusiast
‎10-18-2023 12:41 AM
Jump to solution

Thanks, Jeff and Radostin. The use case is important to us because some customers need to rotate their keys periodically to meet their security and compliance requirements, and they require deep recrypt.

We are aware of the limitations imposed by vCenter for deep recrypt and agree that it makes sense to implement this option at VM level rather that at OrgVDC level, since the VM must be powered off. Your planned implementation seems to meet our requirements. We will check it again in the GA version.

Thanks!

Miguel

0 Kudos