vSphere 6.5 Security – Virtual Machine Encryption

Virtual Machine Encryption
Information security is the utmost priority when it comes to securing customer data in private/public clouds.Data encryption is safe method to protect the data which provides solution to many security concerns, however which requires solid strategy and key management in place. With vSphere 6.5 VM encryption feature you can now encrypt your existing VMs or create a new encrypted virtual machines. With this feature you can encrypt virtual machine files, VMDK’s and core dump. VM encryption works independent of guest OS and data store type as it is policy driven (by applying new storage policy to a VM). There will not be any operational overhead on Virtual machine compute since the encryption/decryption done at hypervisor layer itself. With this new vSphere administrators can perform Encryption/Decryption operations within vCenter Sever UI. 


How Virtual Machine Encryption Works
*  Encryption process starts when user performs encryption task (Power ON VM which has encryption storage policy applied), vCenter server retrieves a new key from the third party key management server (KMS).
* vCenter server then sends KMS key or Key Encryption Key (KEK) to encryption module within esxi host ( or to all hosts if VM is part of cluster).
* Encryption module within ESXi host generates internal keys (DEKs) for the VMs and its disks and then encrypts internal keys using KMS KEK.
* ESXi host encrypts the virtual machine with the encrypted internal key.


Points to remember:
* Keys retrieved by vCenter from KMS are used as Key Encryption Keys.
* Keys are not stored on vCenter server but IDs are stored.
* Internal keys are stored in ESXi host memory.
* Third party KMS serves as prerequisites. This feature is built based KMIP 1.1 protocol, vCenter Server acts as KMIP client hence.

Steps to enable Virtual Machine Encryption:

We need to prepare vCenter Server before configuring Virtual Machine encryption, so lets add Key Management Server to vCenter server, I am using William Lam’s  PyKMIP appliance in my lab for testing this feature. Thanks to William for PyKMIP.

Navigate to vCenter Server Configure >> Key Management Server and then click on Add KMSnew-bitmap-image

Enter cluster name, KMS Server alias, IP address and Port number of KMS server and click OK.


Select Yes to continue, new KMS cluster will be become default cluster. You can change that later if you wish to.


Select Trust certificate option ( KMS server certificate)  to continue.untitled2

Verify if connectivity between vCenter Server and KMS server is established.


We  have have established connectivity between vCenter Server and KMS Server, now vCenter Server should retrieve encryption keys. Lets  enable VM encryption policy for an existing Virtual Machine (Default VMware Encryption Policy).

Select the Virtual Machine from inventory, right click >> VM Policies >> Edit VM Storage Policies.untitled4

Select VM Encryption policy option from drop down list and apply VM Encryption option to VMDK and Virtual machines files.


Verify if Encryption policy has been applied or not by powering ON. You can view that from Virtual machine summary tab.


We  have encrypted existing Virtual machine, lets see how to enable encryption option for new VM while creating a new VM. First I will  demonstrate how to configure custom storage encryption policy for Virtual Machines and then we will use the custom Encryption policy while creating new VM.

Navigate to Policies and Profiles >> VM Storage Policy >> Create VM Storage Policy.untitled8

Enter Name for new Encryption policy and click Next to continue.untitled9

Click Next to continue.


Select Use common rules in the VM storage Policy >> Add Component >> Encryption >> Custom and then click on Next to continue.


Select VMware VM Encryption for Provider option and Allow I/O filters before encryption is set to false, click Next to continue.


Uncheck use rules-sets in the storage policy and click Next.


Verify Storage compatibility and click next to proceed further.

untitled14Click on Finish to create new encryption storage policy.untitled15

We  now have custom encryption storage policy within vCenter Server, we can now apply this to a new VM as demonstrated below

Select the encryption storage policy we created in the option 2c (VM storage) of the VM creation option. untitled16

Validate if VM encryption option is enabled or not by expanding hard disk option in hardware section of new Vm creation option and from the summary page.untitled17

New Virtual Machine summary.untitled18Final Thoughts: Data encryption is one of the method to protect critical data. This feature within vSphere provides additional layer of security since encrypted virtual machine files are useless if they are compromised. Very flexible to use within vCenter UI and You can chose KMS of your choice or use existing KMS solution within your environment since vCenter Server works as KMIP client. I am already liking this feature.

Leave a Reply

Your email address will not be published. Required fields are marked *