Hi All,
I have few questions.Please someone help me on this regard.
- 1) Before enabling encryption,we will need to setup/integrate the KMS server with vcenter server.After enabling the vSAN Encryption at Rest or In Transit from the VSAN service level, we can utilize the VSAN encryption on the complete VSAN data store ?. Like VM encryption policy,can we use VSAN encryption only to the selected VSAN policies? For example 5 VSAN policies with encryption and 5 policies without VSAN encryption.
If that is possible(5 VSAN policies with encryption and 5 policies without VSAN encryption),will there be any impact on the current PROD VM?(after enabling VSAN Encryption at Rest or In Transit from the VSAN service level)
2)Can we enable VSAN encryption on the new VSAN policy level(example – VSAN GOLD POLICY) without enabling VSAN encryption in the core services level ? It will not work right?
3) VM Encryption method is only for VMs and cannot use the same VM Encryption policy for VSAN file services.
Hello @ManivelR
1) Before enabling encryption,we will need to setup/integrate the KMS server with vcenter server.After enabling the vSAN Encryption at Rest or In Transit from the VSAN service level, we can utilize the VSAN encryption on the complete VSAN data store ?.
If you are using vSAN Data at Rest is a Datastore wide setting (all the files inside the vSAN cluster will be encrypted) and if you are using vSAN Data in Transit encryption is a cluster wide setting, all communication between hosts in the cluster are encrypted.
Like VM encryption policy,can we use VSAN encryption only to the selected VSAN policies? For example 5 VSAN policies with encryption and 5 policies without VSAN encryption.
No, Basically the datastore is encrypted or no, there is no policy to choose.
2)Can we enable VSAN encryption on the new VSAN policy level(example – VSAN GOLD POLICY) without enabling VSAN encryption in the core services level ? It will not work right?
No, as discussed, it's a datastore wide.
What you can do is encrypt VMs or VM disks that reside inside the vSAN datastore using VM encryption.
3) VM Encryption method is only for VMs and cannot use the same VM Encryption policy for VSAN file services.
Correct, same as before. vSAN is either encrypted or not.
Sources:
vSAN Data at Rest
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-39717910-373F-4F71-98...
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-37F9636A-7481-4486-AA...
vSAN Data in Transit
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-10099331-92E7-41AF-BC...
VM Encryption
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-7DE1ED8F-880B-421...
Thanks for your prompt response.
I'm testing on the lab for VM encryption storage policies. first
Steps:-
1) Created a default Native key provider.
2) While creating the VM encryption policy(all data store are visible - I have 5 shared datastores and all of them are compatible there)
out of 5 Datastore,I will need to tag this storage policy to "New-VM-encryption-policy" to "ISCSI-ENCR-DATASTORE",so that the complete DS will be encrypted.Am i right or incorrect?
May I know how to do this task?
Hello, to clarify:
The VM encryption policy will encrypt the VMDK and other VM files but not the datastore.
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-8D7D09AC-8579-4A3...
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-06E45092-22DD-406...
As a rule of thumb:
- vSAN Encryption --> Encrypts the whole VSAN (Same as Array encryption in traditional storage arrays)
- VM Encryption --> requires a VM storage policy --> Only encrypts the VMs that have that storage policy applied.
Thanks for the response.
Thank you.