vSphere 6.5

VMware vSphere 6.5 Configure Encrypted VMs

One of the new exciting features that was introduced with vSphere 6.5 is the encrypted VMs feature.  Security these days is on everyone’s mind and encryption provides a solution to many security concerns.  What happens if someone gets a copy of the raw VMDKs of a sensitive VM?  They can then take those files and mount it on their on VMware server and have access to the data.  Also, not just data at rest, but data in motion, vMotion that is. In steps encrypted VMs.  Those files are worthless without the encryption key provided by the encryption key server.  Also, the encrypted VMs feature allows for encrypted vMotion.  Let’s look at VMware vSphere 6.5 configure encrypted VMs.

VMware vSphere 6.5 Configure Encrypted VMs

The first step in deploying Encrypted VMs is to point vCenter to a Key Management Server.  In your vCenter server inventory list, click Manage >> Key Management Servers >> Add Server.

encrypt01

Fill in the information for your cluster name, server alias, server address, and server port.

encrypt03

Once you click OK you will see a security dialog asking you to trust the certificate.

encrypt06

Once added, you should have green checkboxes next to the Certificate status.

encrypt07

Now under KM Servers we set a default cluster.

encrypt08

Creating an Encryption Storage Policy

The next step in the process is to setup an encryption storage policy.

encrypt09

Add a storage policy.

encrypt10

Name the policy.

encrypt11

Simply next through the next informational page.

encrypt12

Under common rules, click the Use common rules in the VM storage policy.  Then select to Add Component.  Then select the Encryption option from the dropdown, but don’t click next yet.

encrypt13

Under the Add Rule select the vmcrypt option.

encrypt14

Leave the Allow I/O filters before encryption set to false.

encrypt15

Uncheck the Use rule-sets in the storage policy.

encrypt16

The next screen shows the storage compatibility check.

encrypt17

Click Finish to create the encryption storage policy.

encrypt18

We can now see our EncryptionPolicy listed in the available VM storage policies.

encrypt19

Create an Encrypted VM

The last step is to actually create an encrypted VM.

encrypt20

 

encrypt21

Select the name and folder.

encrypt22

Select a compute resource.

encrypt23

Here is where the new options come into play.  We can now select our Encryption Policy from the VM storage policy dropdown.

encrypt24

Leave the compatible with setting set to ESXi 6.5 and later.

encrypt25

 

encrypt26

When you expand the hard disk for the VM, notice how the VM storage policy shows the Encryption Policy.

encrypt27

Also, a really cool feature is Encrypted vMotion.  We can set the setting here to determine how the VM handles vMotion to another host.  There are three options here:

  • Disabled – Do not use encrypted vMotion
  • Opportunistic – Use encrypted vMotion if the destination host supports it, otherwise use normal vMotion
  • Required – The vMotion process with this VM must use encrypted vMotion.  If the vMotion operation doesn’t support encryption on the destination host, the vMotion operation will fail.

encrypt28

After the above configuration screen, simply hit Next and Finish at the Summary screen.

Thoughts

The process for vSphere 6.5 Configure Encrypted VMs is very straightforward within vCenter.  This is an exciting feature that will give administrators the ability to provide an additional layer of security to their data and the VMs themselves.  The new vSphere 6.5 release is looking like a very worthy upgrade in terms of features and functionality.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.