HSM/KMS for vSAN

mutthu · ‎02-01-2022

I will deploy a Vsphere solution with vSAN, which is my only source of storage going to be. I have to have an encryption solution for the vSAN, but we must safeguard the encryption keys in an HSM. I have been researching a suitable product, and a few KMS do the encryption of vSAN. I can not understand the difference between KMS and HSM.
I came across Cloudlink, HyRust, and a few other KMS to encryption software, but it looks like we have to buy a third-party HSM if we have to fulfill our HSM requirement.

The KMS holds the keys, then why then HSM?

Is there any HSM product that does storage encryption without buying KMS and HSM?

arshad21dvmw · ‎02-03-2022

What's the make of servers you are planning to purchase for your vsan solution?

Regarding the functionality of HSM in a vSPHERE environment

vSphere is just a KMIP client. These functions are handled by the Key Manager you choose. If you want HSM’s then the Key Manager will talk to them and vSphere will talk to the KMS

mutthu · ‎02-03-2022

What's the make of servers you are planning to purchase for your vsan solution?

It will be vSAN ready, which is available for several vendors. I have not decided anything, but whoever sells a vSAN ready node with maximum CPU (<32 core) core will be my choice, to avoid VMware license cost.

All

HSM/KMS for vSAN