VMware Virtual Machine Encryption Key Management


One of the exciting new features included with VMware vSphere 6.5 is the ability to encrypt VMware virtual machines by using a native encryption process that is managed at the hypervisor level.  Since the encryption is done at the hypervisor level, this takes the heavy lifting out of managing encryption of each virtual machine separately. At the hypervisor level, VMware has instituted encryption in the kernel itself so that both VM specific files such as the VMX, VMDK, snapshot disks, etc are encrypted. This results in a much more powerful centralized approach for being able to encrypt virtual machines. Additionally, the encryption is not dependent on the type of guest operating system that is running or the type of datastore or formatting, etc. Encryption is what VMware calls “agnostic”.  Let’s take a look at VMware Virtual Machine Encryption Key Management.

Benefits of VMware Virtual Machine Encryption

In today’s security centric world of IT infrastructure, organizations are facing the facts that encryption is no longer a “nice to have” but is a necessity. Making sure data is encrypted both in-flight and at rest is essential to overall data security. Now that VMware has provided the tools that make this possible natively, organizations running on top of VMware vSphere infrastructure have the means to ensure data at the VM level is encrypted.

High level view of benefits:

  • Encryption is performed at the hypervisor level
  • VMware provides policy driven encryption which allows mass deploying encryption to numerous virtual machines
  • Since the encryption is “outside of the VM” it is much more difficult to compromise with no moving parts running in memory, etc
  • VMware is using KMIP 1.1 standard for key management

Virtual Machine Encryption Best Practices

Below are a few general best practices when it comes to virtual machine encryption:

  • It is not recommended to encrypt vCenter Server Appliance (VCSA) virtual machines
  • In the event that an ESXi host goes down or crashes, get the support bundle as soon as possible, due to the fact the host key may change
  • Don’t change the KMS server cluster name without forethought and coordination. A VM that is encrypted with keys from a named KMS server will go into an invalid state during power on or register.
  • Don’t manually edit virtual machine descriptor files for encrypted virtual machines as this can render a virtual machine unrecoverable.
  • Deduplication and compression might not be effective for encrypted virtual machines since data is encrypted on the host before data is written to storage.
  • The encryption process itself is CPU intensive. There can be tremendous benefits to enabled AES-NI in the server BIOS. This is the Advanced Encryption Standard – New Instructions. This implements hardware accelerated versions of certain compute intensive steps using in the AES algorithm.

***Update 12/6/2017*** VMware officially released their vSphere 6.5: VM and vSAN Encryption FAQ guide which details most aspects and questions of the technology along with additional resources for learning.

Free or Trial Virtual Machine Encryption Key Management Servers

Below, we will discuss a truly free option that has been provided by way of a Docker container.  However, there are a couple of trial options for Virtual Machine Encryption Key Management Servers found

Dell/EMC Cloudlink 

Configuring VMware Virtual Machine Encryption Key Management

William Lam has provided a great resource for anyone looking to take the new VMware virtual machine encryption for a test drive in a lab environment.  He has created a docker container that is running an acceptable KMIP services to test the new process in a lab environment.  As he has stated many times, this is not to be used in production as when the container is terminated your keys are toast as well.  I had an Ubuntu 17.10 server up and running my lab environment running docker that I used as the platform to run the Docker image.

Getting the docker image up and running is as simple as two steps once you have Docker installed on your host:

Step 1:

Step 2:

Downloading-the-VMware-Encryption-KMIP-key-management-docker-image VMware Virtual Machine Encryption Key Management

Downloading the VMware Encryption KMIP key management docker image

Starting-the-VMware-Encryption-Key-Management-Server VMware Virtual Machine Encryption Key Management

Starting the VMware Encryption Key Management Server

Configuring VMware Encryption Key Management Server

Let’s take a quick look now at pointing the Key Management Server over to test KMIP server we have spun up via the Docker container.  We navigate to the vCenter server Configure menu and Add KMS.

Add-the-Key-Management-Server-in-vCenter VMware Virtual Machine Encryption Key Management

Add the Key Management Server in vCenter

Next, point the KMS configuration to the lab Key Management server.

Create-a-new-KMS-Cluster-and-point-it-to-the-lab-server VMware Virtual Machine Encryption Key Management

Create a new KMS Cluster and point it to the lab server

Here we accept to set the KMS server as default.

Set-the-KMS-server-as-default VMware Virtual Machine Encryption Key Management

Set the KMS server as default

The KMS server will present with a certificate for us to trust.

Trust-the-certificate-presented-on-the-Key-Management-Server VMware Virtual Machine Encryption Key Management

Trust the certificate presented on the Key Management Server

Finally, we see the new Key Management Server has been added to vCenter.

The-key-management-server-is-now-added-to-vCenter VMware Virtual Machine Encryption Key Management

The key management server is now added to vCenter

By default vCenter already has a VM Encryption Policy under the VM Storage Policies that we can utilize.

By-default-there-is-already-a-VM-Encryption-storage-policy-created VMware Virtual Machine Encryption Key Management

By default there is already a VM Encryption storage policy created

Encrypting a VMware Virtual Machine

Now, all we have left to do is apply the VM Encryption policy to an existing VM.  Right-click the VM and select the VM Policies menu Edit VM Storage Policies.

Set-the-storage-policy-on-an-existing-VM VMware Virtual Machine Encryption Key Management

Set the storage policy on an existing VM

Set the VM storage policy to VM Encryption Policy.

Here-we-choose-the-VM-Encryption-Policy-and-apply-it-to-all-of-the-VM-files VMware Virtual Machine Encryption Key Management

Here we choose the VM Encryption Policy and apply it to all of the VM files

Note that if the virtual machine is powered on, we can’t set the encryption policy.

VM-encryption-error-when-the-VM-is-powered-on VMware Virtual Machine Encryption Key Management

VM encryption error when the VM is powered on

After powering off, and applying the VM encryption policy, the VM is sucessfully encrypted.

After-powering-off-VM-encryption-successfully-encrypts-the-VM VMware Virtual Machine Encryption Key Management

After powering off VM encryption successfully encrypts the VM

VMware Virtual Machine Encryption Key Management Thoughts

Kudos to William Lam for providing the Docker container for us lab gear heads to take the encryption policy for a test drive.  It is great that VMware is providing all the tools needed for organizations to stay on top of security for data both in flight and at rest.  The new VM Encryption policy is a great way to ensure the safety of virtual machines at the VM level irregardless of OS or underlying technology in the virtual machine.