fborges555
Enthusiast
Enthusiast

KMS and vSAN

Hi gurus

I have deployed a Vsphere solution with vSAN on it, that is my only source of storage , I have been ask to deploy a KMS for vSAN encryption solution but the more I read, the more it seems like this is not the right solution, as I could render the entire cluster lock if the KMS becomes unavailable , which could well happen as all my VMs will be house on the vSAN cluster.

 

so , what I am asking is with this scenario and relying on your vast experience, what would be my best approach for the vSAN encryption, it seems like native encryption that comes with 7.0.u2, is the best practice.

any clarification is well appreciated .

 

Thanks a bunch

0 Kudos
3 Replies
CyberNils
Enthusiast
Enthusiast

Yes, you need to find a way to keep your KMS outside your vSAN cluster. As far as I can understand, this applies no matter what encryption solution you choose.



Nils Kristiansen
https://cybernils.net/
0 Kudos
niyijr
Enthusiast
Enthusiast


the more I read, the more it seems like this is not the right solution, as I could render the entire cluster lock if the KMS becomes unavailable

Your instincts are correct. The first design consideration when you plan to configure encryption on a VSAN datastore is "Do not deploy your KMS server on the same vSAN datastore that you plan to encrypt"

So, you will need to find another datastore where your KMS server will sit.

________________________________________________________
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
TheBobkin
VMware Employee
VMware Employee

@fborges555  as others have said, absolutely do not consider storing a KMS on the vsanDatastore it is providing encryption to and here's why: such a cluster is just one power-outage away from:

1. Losing the cached KEK that it uses to unlock the disks using the DEK leading to

2. Not being able to access the Disk-Groups and thus the data and thus

3. Not being able to power the KMS VM(s) on to get the KEK (repeat in a circle indefinitely).

 

Just because you only have one datastore available doesn't mean you can't have a KMS available else where - this can run anywhere else, either on another cluster you have available or even in the cloud.

 

Going with vSphere Native Key Provider is potentially a viable option here - while this relies on vCenter instead of a KMS (and which you should ideally always be running somewhere other than on the cluster it manages) to store keys, if you configure the hosts with physical TPM modules and configure ESXi Key Persistence the KDK (Key Derivation Key) will still be available post reboot even if vCenter is not available. Do note though that this is not the same thing as a full-fledged KMS and can't be used for anything non-vSphere.

 

Before deciding on either of these (or any solution) I would strongly advise doing the due diligence of reading as much relevant documentation possible relating to these two topics.

0 Kudos