Posted in: VMware, vSAN

vSAN Encryption

vSAN provides feature to encrypt the data at rest. Below are pre-requisites to enable vSAN encryption –

  • You will need a Key Management Server (KMS)
  • vCenter should establish a trusted connection with the KMS server and vice versa
  • User should have privileges on vCenter :
    Host.Inventory.EditCluster
    Cryptographer.ManageEncryptionPolicy
    Cryptographer.ManageKMS
    Cryptographer.ManageKeys

To enable encryption, Go to cluster -> Configure tab -> vSAN -> Services -> Encryption

Important vSAN Encryption terminologies :-

  1. KMIP : Key Management Interoperability Protocol :-
  • A standard protocol that clients use to talk to KMS.
  • The KMIP 1.1 protocol is required for use with vSAN Encryption

2. KMS : Key Management Server :-

  • Key management is a core requirement for using vSAN Encryption and VM Encryption.
  • A Key Management Solution using Key Management Interoperability Protocol (KMIP) version 1.1 is required.

3. KEK: Key Encryption Key :-

  • The key encryption key (KEK) is stored in KMS.
  • Each vSAN cluster has one KEK.(per-tenant key)
  • Key Encryption Keys are AES-256 compatible

4. DEK: Data Encryption key :-

  • Data Encryption key (DEK) is the key used in the I/O path to encrypt/decrypt data.
  • DEKs are XTS-AES-256 keys.
  • Each disk in a vSAN disk group will have a unique DEK.

5. HEK: Host Encryption Key :-

  • This is similar to the KEK, but is used to encrypt vSAN host core dumps, not data.
  • All hosts in a vSAN cluster use the same HostKey.
  • Using a Host Key, customers can safely send encrypted core dumps to VMware Global Support without disclosing DEKs.
  • The HEK assists in maintaining the integrity of customer data, while assisting VMware Global Support with problem resolution.
  • vSAN Host Keys are AES-256

6. Key cache :-

  • A vSphere Host kernel module that caches the KEK from the KMS for use by vSAN Encryption and VM Encryption.