Re: KMS for Encryption Best Practices

dantranchina1 · ‎02-26-2019

Hi All,

I am looking to encrypt VM's for a few clients of mine. I see I need a KMS server on premise. I don't currently have a need for KMS outside of VM Encryption.

What I'm wondering is what are the implications of installing KMS role on one of the VM's that will be encrypted? If the VM crashes out will I be able to restore from backup considering the KMS service is on the Crashed Machine??

Is it best practice to have a small, dedicated KMS VM running on the host and leaving that unencrypted?

Also a question in a crash scenario..say my host dies and I need to restore the VM to new hardware, what is the restore process like with an encrypted VM?

Thanks in advance!

Dan

daphnissov · ‎02-26-2019

You should really, really read up on vSphere encryption and the full implications as it's not something to be taken lightly. You can read about best practices here: Virtual Machine Encryption Best Practices

KMS needs to be made very highly available and protected like the crown jewels.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

pathnony · ‎03-13-2019

You don’t necessarily need to set up a KMS inside an existing VM. KeyNexus can offer you something similar though: KeyNexus can be deployed as a self-contained VM in VMware and provide high availability. With a cluster setup across different physical hosts, there’s no worry about one host going down. Also, setup is quick and easy. If you have any questions, direct message me and I can pass along more information.