VMware Cloud Community
Dixona
Contributor
Contributor
‎11-27-2019 02:41 AM
Jump to solution

VM Disk Encryption

Hello All

Setting up a new environment. 15 to 20 VMs.

I've got the hardware requirements sorted Dell R640's …..

One of the requirements is VM disk encryption.

The questions I have are:

Do I need Enterprise plus or higher to do this?

Can ROBO do disk encryption? Pros and Cons?

Anyone recommend a good KMS product that will work with VMware, MS SQL & My SQL? (I was thinking Gemalto, but something cheaper would be nice)

Anyone got any gotchas when setting this up?

Regards

Andrew.

1 Solution

Accepted Solutions
KabirAli82
Expert
Expert
‎11-27-2019 02:50 AM
Jump to solution

Hi there,

I can only help you with the first question;

You need at least VMware vSphere Enterprise Plus™. See page 2;

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vsphere/vmw-flyr-comparevsphereedi...

Other then that I have no field experience with VM encryption.


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_

View solution in original post

0 Kudos
7 Replies
KabirAli82
Expert
Expert
‎11-27-2019 02:50 AM
Jump to solution

Hi there,

I can only help you with the first question;

You need at least VMware vSphere Enterprise Plus™. See page 2;

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vsphere/vmw-flyr-comparevsphereedi...

Other then that I have no field experience with VM encryption.


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
0 Kudos
vMarkusK1985
Expert
Expert
‎11-27-2019 03:00 AM
Jump to solution

Hello,

to do per-VM Disk encryption you need the vSphere Enterprise Plus or vSphere ROBO Enterprise License:

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vsphere/vmw-flyr-comparevsphereedi...

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vsphere/vmw-flyr-vsphererobo-uslet...

Is this an additional environment to your Main Datacenter? If so, the ROBO License might be a good option.

I have used HyTrust for the per-VM Disk and VSAN encryption  https://www.hytrust.com/products/keycontrol/

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK
blazilla
Enthusiast
Enthusiast
‎11-27-2019 03:08 AM
Jump to solution

Hi,

you need at least vSphere Enterprise Plus to use VM Encrytion. Make sure that the Backup Software you want to use support this (Veeam is fine). And you should make sure that your KMS is not the SPoF in your design.

Best regards Patrick https://www.vcloudnine.de
0 Kudos
Dixona
Contributor
Contributor
‎11-27-2019 03:08 AM
Jump to solution

Forgot to say I'll want to use vSAN for the storage over three identical hosts.

0 Kudos
blazilla
Enthusiast
Enthusiast
‎11-27-2019 03:14 AM
Jump to solution

Check this FAQ: vSphere 6.5/6.7: VM and vSAN Encryption FAQ | Encryption | VMware vSphere Central

It depends on your requirements. VM Encryption elementary differs from vSAN Encryption.

Best regards Patrick https://www.vcloudnine.de
vMarkusK1985
Expert
Expert
‎11-27-2019 03:49 AM
Jump to solution

The FAQ that blazilla​ already shared highlights the main differences between both encryption types.

The main question is, what do you want to protect yourself from? Only robbery of servers / disks or also "bad" access to your running VMs and copy of VMDKs etc.? Per VM key can also be pretty important.

In my opinion, there is also a Per VM encryption usecase on VSAN, even with the disadvantage in efficiency.

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK
jchilton
Enthusiast
Enthusiast
‎08-05-2020 11:10 AM
Jump to solution

Recommend HyTrust KMIP product. Great value and tech support.

0 Kudos