VMware Cloud Community
bgushue
Contributor
Contributor
Jump to solution

Native Key Provider with StorMagic SvSAN

For a remote office we plan to use StorMagic SvSAN to share storage on two ESXi hosts.  Would we also be able to use vSphere Native Key Provider?  I have read it only provides keys for VMWare products, but would the StorMagic SvSAN get in the way of encryption?  So far as I know, we only plan to encrypt VMs.  Even if we can encrypt vms, would we be able to encrypt a datastore on the StorMagic SvSAN?

Reply
0 Kudos
1 Solution

Accepted Solutions
markchristie
Contributor
Contributor
Jump to solution

SvSAN (https://www.vmware.com/resources/compatibility/detail.php?deviceCategory=san&productid=18874&vcl=tru...) provides synchronously mirrored MPIO disk devices over iSCSI to enable HA shared storage in two node and larger environments.

It is fully compatible and supported to be used with VMware VM encryption on top of SvSAN storage.

This can be leveraging a KMS, such as StorMagic SvKMS (https://www.vmware.com/resources/compatibility/detail.php?deviceCategory=kms&productid=51449&kmsvers...)

This would be the recommended best practice with any encryption architecture to truly separate lock from key.

SvKMS is available as an on-prem solution or as key-management-as-a-service option.

vCenter Native Key Provider would also be fully supported as an alternative (https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-54B9FBA2-FDB1-400...). 

This uses TPMs in the host to store the keys on host, rather than in an external KMS. 

Although less complex, and potentially lower cost, this also means that should a whole server get stolen both the key and the data are taken with the potential for easier unlock of the data.

For additional detail, as an alternative to VMware VM encryption SvSAN includes an encryption engine inside the storage controller virtual machines or VSAs.

This ensures that any I/O passing up or down the storage stack is scrambled/encrypted down to the physical storage.

This protects any datastore encrypted through SvSAN, and as such any data stored on top, such as VMs, file, databases etc, are also protected.

View solution in original post

2 Replies
markchristie
Contributor
Contributor
Jump to solution

SvSAN (https://www.vmware.com/resources/compatibility/detail.php?deviceCategory=san&productid=18874&vcl=tru...) provides synchronously mirrored MPIO disk devices over iSCSI to enable HA shared storage in two node and larger environments.

It is fully compatible and supported to be used with VMware VM encryption on top of SvSAN storage.

This can be leveraging a KMS, such as StorMagic SvKMS (https://www.vmware.com/resources/compatibility/detail.php?deviceCategory=kms&productid=51449&kmsvers...)

This would be the recommended best practice with any encryption architecture to truly separate lock from key.

SvKMS is available as an on-prem solution or as key-management-as-a-service option.

vCenter Native Key Provider would also be fully supported as an alternative (https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-54B9FBA2-FDB1-400...). 

This uses TPMs in the host to store the keys on host, rather than in an external KMS. 

Although less complex, and potentially lower cost, this also means that should a whole server get stolen both the key and the data are taken with the potential for easier unlock of the data.

For additional detail, as an alternative to VMware VM encryption SvSAN includes an encryption engine inside the storage controller virtual machines or VSAs.

This ensures that any I/O passing up or down the storage stack is scrambled/encrypted down to the physical storage.

This protects any datastore encrypted through SvSAN, and as such any data stored on top, such as VMs, file, databases etc, are also protected.

bgushue
Contributor
Contributor
Jump to solution

Sorry to take so long to respond.

I created a case with VMWare and they answered that the vm encryption would work but said I should check with the vendor regarding datastore encryption.  I check with StorMagic and they said no, datastore encryption would not be supported in this scenario.

I believe vm encryption may be enough for us, but I am going to look at the SvSAN solution and SvKMS.

Interesting note about the TPM and host server.  Clearly it isn't perfect so I have to find out what is acceptable in our organization.  This doesn't sound good to me.

Thank you, Mark!

Reply
0 Kudos