VMware Cloud Community
BrianG_1
Contributor
Contributor

6.5 VM Encryption

Can anyone give me an idea of how much downtime there would be when encrypting existing VMs?

Example = 2.5TB vmdk

 

Is this possible to estimate?

Reply
0 Kudos
3 Replies
bluefirestorm
Champion
Champion

Someone can give you a number from their experience but it may not match up with your environment.

Key factors:
CPU generation - newer generation Intel CPUs have faster AES instruction execution (e.g. Skylake Xeon Gold will be a lot faster than an old Sandy Bridge Xeon)
storage speed - NVMe vs SSD vs 15Krpm hard disk

What I'd suggest you do is experiment by creating dummy VMs with 50GB, 100GB, 200GB, 500GB (you can choose sizes as you see fit) and see if the time taken is linear enough (e.g. 500GB is takes 10x as long as the 50GB, 200GB takes 4x of 50GB, etc) to estimate for the 2.5TB virtual disks.

 

BrianG_1
Contributor
Contributor

Thank you very much for the reply.

I understand that there are too many variables to make a solid time estimate.

I am trying to write an SOW to encrypt 12 VMs for a customer, this project will also involve standing up a KMS Cluster as one does not exist on-site at this time.  That being said I will not be able perform these valid experiments that you recommend.

Servers are not most current, Dell R7xx with E5-26xxv4 CPU and the vmdks are out on a Hybrid Fujitsu array.

I am looking for someone who has done this before other than HOL to just give me a guesstimate from there experience.  Are we talking hours or minutes?

Thanks again for your reply

Reply
0 Kudos
bluefirestorm
Champion
Champion

In the absence of any reference real world sample, one (overly) simplistic way of looking at it is this a read-encrypt-write operation and the read-write part is essentially a file copy. One possible guesstimate then is an estimate of a file copy operation + some percentage overhead for encryption part. I suppose there are far more accurate estimates for file copy operations out there and the question becomes more of how much overhead needs to be added for encryption and whether encryption time is a linear growth against the size.

The only time I tried encrypting an existing VM was when Fusion 10 was on beta (so that was some years back). I can't recall how large the virtual disk was and how long it took. Maybe you could use Workstation Pro or Fusion to try the experiment in lieu of a complex ESXi infrastructure but I don't know if Workstation and ESXi uses the same encryption algorithm and key complexity might affect the encryption time.

Reply
0 Kudos