4 Replies Latest reply on May 6, 2018 5:43 AM by Psychomike70

    Database Encryption

    Psychomike70 Novice

      We have been asked by our security team if to look into the possibility of encrypting the VMware databases. We have Horizon View 7.x, Windows based View Composer, Windows based 6.5 External PSC, and a Windows Based 6.5 vCenter. We also have another environment that is using Horizon View 7.x, Windows based View Composer, and 6.5 VCSAs. Both environments are using MS SQL 2012.

      So to answer their questions, I wanted to make sure that I have my information correct...the Horizon View database contains only the Events captured/occuring in Horizon View. This would include virtual machine information and customer names. The vCenter database contains information regarding the ESXi hosts (hardware information, cluster information, virtual machine information, IP addresses of virtual machines and ESXi hosts, information on vSwitches, performance stats, alarm info, and other attributes and information related to vCenter/ESXi configurations ). The View Composer database contains it connection information to the vCenter, any AD connection information, and linked clone/replica information. Did I miss anything important regarding the information in the databases? Or did I miss a database (not worried about the appliances Postgres DB). It has been a while since I had to look into the databases other than basic information.

       

      Also, the last time I looked up the information (the last time security asked the question), I seem to remember reading that encrypting any of the VMware databases was not supported. Has this changed? Has anyone encrypted their databases and not seen any issues (performance, backup and recovery)?

        • 1. Re: Database Encryption
          daphnissov Guru
          vExpertCommunity Warriors

          Database encryption is still not supported, to my knowledge. That aside, since you're on Windows-based vCenter/PSC, you should probably be aware (and maybe you are) that there will be only the appliance moving forward after 6.7.

          • 2. Re: Database Encryption
            Psychomike70 Novice

            Thank you for the reply. Have you seen any recent documentation (vendor would be great) on the subject? I have been reading through some of the best practice white papers and I still haven't found something that states it plainly.

             

            And yea, we are in the process of moving the Windows based environment over to VCSA (we have 2 production environments running them now and 1 left to migrate). Sooo looking forward to not having to deal with Windows based anymore...if nothing else for the patching.

            • 3. Re: Database Encryption
              daphnissov Guru
              Community WarriorsvExpert

              I've not seen any official documentation that specifically calls out encryption of the vCenter (or View, for that matter) database. And, honestly, you're the first person I've heard of to ask for that. What would be the use case for this since vCenter doesn't contain any sensitive user data. Is this a case of perceived "security through obscurity" or something similar? Functionally, when talking about the vCSA, I'm not even sure how you could go about doing so. Even if you could, I can't imagine it would be a very good idea for a number of reasons.

              • 4. Re: Database Encryption
                Psychomike70 Novice

                I believe it is related to the STIG (SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest. ). Since the VCDB contains information such as configurations, the security folks are asking about encrypting the data. They also asked about the View Events database which I believe I have them convinced not to worry about that information since it is just username and machine name...and is overwritten often. They asked about the View Composer DB as well, but they didn't seem too concerned about that after I convinced that the data there is also fairly volatile.

                 

                I have also told them that once we finish migrating this last environment to VCSAs, we will be using the internal Postgres DB and this encryption worry will not longer be a concern. I was just looking for some kind of documentation to fend things off until the end of the year when we are scheduled to move this last environment over to appliances.