6 Replies Latest reply on Jan 13, 2018 8:09 AM by Preetam Zare

    vSAN Encryption Queries

    Preetam Zare Expert

      I have couple of queries on vSAN. I made good efforts to locate any relevant information however was not satisfied with the results. Below are my questions

       

      • What is the backup support for vSAN encryption ?
      • When backup is done, I understand VM is decrypted then it is left with Backup vendor to encrypt. Is there a study on Decryption time ?
      • Now when VM is restored, it will be restored as decrypted VM right? so if a Rogue back admin choose to restore the VM he will always have access to VM.?

       

      Though I understand vSAN Encryption is data at rest encryption, all I'm trying to investigate any possible threats.

      With Great Regards,
      TechS
      vExpert 2012-2017 | VCP3-5 | VCAP5-DCD | VCP-NV | vSAN Specialist | VDI | Germany
        • 1. Re: vSAN Encryption Queries
          Great_White_Tec Expert
          vExpertVMware Employees

          Hi Techstarts,

           

          From a backup perspective, the backup software is unaware of vSAN Encryption. Whether vSAN encryption is enabled/disabled at backup and viceversa on restore, the process works the same way as if there was no encryption at all.  The behavior is different for VM backup where the data is encryption in-flight; however, this prevents some storage features from working such as dedupe/compression because the VM is encrypted.

           

          I have done extensive testing with different scenarios with Veeam Encryption + vSAN Encryption and was not able to "break" it.

           

          vSAN encryption is encryption at rest, and it is done when the data is being written to disk. So it may look and feel as if backups/restores are un-encrypted, but if you take a disk out, it will be encrypted, and unreadable. You can certainly use it in combination with software backup encryption, and let the backup software take care of the backup encryption. You can also use both vSAN encryption, and VM encryption (on different storage), leveraging the same KMS.

          1 person found this helpful
          • 2. Re: vSAN Encryption Queries
            Preetam Zare Expert

            Hi GreatWhiteTec,

             

            To repeat what I understood from your response

             

            • What is the backup support for vSAN encryption ?

            => Backup software is transparent to vSAN encryption. It is irrelevant for backup software to know if the VM is encrypted or not. But potentially dedupe backup store may not be efficient.

            • When backup is done, I understand VM is decrypted then it is left with Backup vendor to encrypt. Is there a study on Decryption time ?

            => You potential end up in double encryption. 1) vSAN Encryption 2) Backup encryption. As encryption/decryption do not have to happen, the time is same as backup or restore of any normal VM

            • Now when VM is restored, it will be restored as decrypted VM right? so if a Rogue back admin choose to restore the VM he will always have access to VM.?

            => This question is answered above

            With Great Regards,
            TechS
            vExpert 2012-2017 | VCP3-5 | VCAP5-DCD | VCP-NV | vSAN Specialist | VDI | Germany
            • 3. Re: vSAN Encryption Queries
              Great_White_Tec Expert
              vExpertVMware Employees
              • What is the backup support for vSAN encryption ?

              => Backup software is transparent to vSAN encryption. It is irrelevant for backup software to know if the VM is encrypted or not. But potentially dedupe backup store may not be efficient.     With vSAN Encryption dedupe/compression is not affected, BUT with VM encryption (vSphere) dedupe/compression will not take place.

               

              • When backup is done, I understand VM is decrypted then it is left with Backup vendor to encrypt. Is there a study on Decryption time ?

              => You potential end up in double encryption. 1) vSAN Encryption 2) Backup encryption. As encryption/decryption do not have to happen, the time is same as backup or restore of any normal VM.

              Yes, but the double encryption is not on the same place, unless you are encrypting backups on an encrypted enabled vSAN cluster as a target storage. So, if your backup target is an external storage and you decide to encrypt them, your backups will be encrypted on the external storage, and your original VMs are encrypted on vSAN. The vSAN encryption doesn't follow the VM when you back it up to an external storage.

               

              • Now when VM is restored, it will be restored as decrypted VM right? so if a Rogue back admin choose to restore the VM he will always have access to VM.?

              => This question is answered above

              1 person found this helpful
              • 4. Re: vSAN Encryption Queries
                Preetam Zare Expert

                Thank you for your insightful comments and advice.

                It is much clear now.

                 

                Since vSAN encryption do not follow the VM, is it possible to restore this VM on any non-encrypted vSAN datastore? I think it is, As backup software will restore it as another file and since there is no DEK associated with VM it will work. unless I'm wrong.

                With Great Regards,
                TechS
                vExpert 2012-2017 | VCP3-5 | VCAP5-DCD | VCP-NV | vSAN Specialist | VDI | Germany
                1 person found this helpful
                • 5. Re: vSAN Encryption Queries
                  Great_White_Tec Expert
                  VMware EmployeesvExpert

                  You are correct. So if you backup from your PROD vSAN encrypted cluster, you can still restore the VMs to your DR site running on other storage or a different vSAN cluster.

                   

                  As far as the DEK, this key is not associated to a VM in vSAN Encryption, but to a disk in vSAN instead. Each disk in the cluster has a unique DEK. The KEK from KMS is used to encrypt the DEK.

                   

                  • 6. Re: vSAN Encryption Queries
                    Preetam Zare Expert

                    Thanks a lot for final inputs. One can build a good blog article out of this post which I'm planning very soon.

                    I marked each of your response as Helpful.

                    With Great Regards,
                    TechS
                    vExpert 2012-2017 | VCP3-5 | VCAP5-DCD | VCP-NV | vSAN Specialist | VDI | Germany