Has anyone implemented this in a production environment yet? It looks easy enough to configure and seems to be an ideal (and long-awaited) solution for protecting VMs but the requirement for a KMS is a real blocker.
If you have implemented VM encryption, can I ask what key management solution you chose and what options you considered? I've looked at some solutions myself but the costs are prohibitive.
Good afternoon, off topic of your question but if you're thinking of this in production; here's a good whitepaper on performance. http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vm-encryption-vsphere65-p...
Thank you, Zach.
vSphere 6.5 supports KMIP 1.1, but it’s really only as a client. A corresponding KMIP server is required in order to manage and store the keys. There aren’t many standalone KMIP servers available, but KeyNexus does offer one which is described here: https://keynexus.net/solutions/keynexus-kmip-server/
Thanks - I note KeyNexus still only supports up to KMIP v1.2 so I'm a bit concerned that they're not exactly keeping up to date and their web site doesn't provide any indicative pricing. Unfortunately, this is the case for most if not all vendors I've looked at.
I feel like VM encryption is a great feature but it will simply be unrealistic for most smaller shops because of the incredibly prohibitive cost and additional complexity of deploying a key management system.
It's a shame VMware weren't able to implement Data-at-Rest (DaR) encryption with their VSAN product by leveraging the capabilities of Self-Encrypting Drives (SEDs) and consequently, there's still no reasonable way of implementing DaR despite the fact that even entry level hardware SAN appliances would typically have the necessary support as standard.
See other reply about HyTrust for a KMIP compliant KMS that'll work out of the box. Up and running in 30 minutes or less.
BTW, SED's only prevent someone from stealing the physical drive. Encryption of the VM itself prevents someone from copying the actual vmdk files and using them elsewhere.
VMware has very recently setup certification for KMIP 1.1 key server vendors: VMware Compatibility Guide - kms . All certified key server vendor solutions will be listed here. Expect the list to grow quickly.
IBM Security Key Lifecycle Manager (SKLM) has implemented solution for VM Encryption in production for multiple customer. SKLM is beautiful product which can cater to all your digital keys requirement. See link below for more details.
Seems like there aren't too many KMIP servers that support VM encryption in vSphere 6.5 and 6.7. We checked out the KeyNexus solution for vSan and they've kept up with the spec. 1.3/1.4 is supported and their pricing is fairly reasonable against the big guys like Thales and Gemalto.