Enthusiast
Enthusiast

VM Encryption in 6.5 - Selecting a KMS

Has anyone implemented this in a production environment yet? It looks easy enough to configure and seems to be an ideal (and long-awaited) solution for protecting VMs but the requirement for a KMS is a real blocker.

If you have implemented VM encryption, can I ask what key management solution you chose and what options you considered? I've looked at some solutions myself but the costs are prohibitive.

8 Replies
Expert
Expert

Good afternoon, off topic of your question but if you're thinking of this in production; here's a good whitepaper on performance.  http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vm-encryption-vsphere65-p...

Thank you, Zach.

0 Kudos
Contributor
Contributor

vSphere 6.5 supports KMIP 1.1, but it’s really only as a client.  A corresponding KMIP server is required in order to manage and store the keys.  There aren’t many standalone KMIP servers available, but KeyNexus does offer one which is described here:  https://keynexus.net/solutions/keynexus-kmip-server/

0 Kudos
Enthusiast
Enthusiast

Thanks - I note KeyNexus still only supports up to KMIP v1.2 so I'm a bit concerned that they're not exactly keeping up to date and their web site doesn't provide any indicative pricing. Unfortunately, this is the case for most if not all vendors I've looked at.


I feel like VM encryption is a great feature but it will simply be unrealistic for most smaller shops because of the incredibly prohibitive cost and additional complexity of deploying a key management system.

It's a shame VMware weren't able to implement Data-at-Rest (DaR) encryption with their VSAN product by leveraging the capabilities of Self-Encrypting Drives (SEDs) and consequently, there's still no reasonable way of implementing DaR despite the fact that even entry level hardware SAN appliances would typically have the necessary support as standard.

0 Kudos
Contributor
Contributor

Check out HyTrust DataControl. It's on vmware's price list and provides a KMIP compliant KMS that's been tested with vSphere Encryption on 6.5. www.hytrust.com

Contributor
Contributor

See other reply about HyTrust for a KMIP compliant KMS that'll work out of the box. Up and running in 30 minutes or less.


BTW, SED's only prevent someone from stealing the physical drive. Encryption of the VM itself prevents someone from copying the actual vmdk files and using them elsewhere.

0 Kudos
VMware Employee
VMware Employee

VMware has very recently setup certification for KMIP 1.1 key server vendors: VMware Compatibility Guide - kms . All certified key server vendor solutions will be listed here. Expect the list to grow quickly.

0 Kudos
Contributor
Contributor

IBM Security Key Lifecycle Manager (SKLM) has implemented solution for VM Encryption in production for multiple customer.  SKLM is beautiful product which can cater to all your digital keys requirement. See link below for more details.

IBM Security Key Lifecycle Manager

0 Kudos
Contributor
Contributor

Seems like there aren't too many KMIP servers that support VM encryption in vSphere 6.5 and 6.7. We checked out the KeyNexus solution for vSan and they've kept up with the spec. 1.3/1.4 is supported and their pricing is fairly reasonable against the big guys like Thales and Gemalto.

0 Kudos