WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Docker / Easily try out vSAN 6.6 Encryption feature using KMIP Docker Container

Easily try out vSAN 6.6 Encryption feature using KMIP Docker Container

04.14.2017 by William Lam // 4 Comments

One of biggest feature introduced in the upcoming vSAN 6.6 release is the native vSAN Data-at-Rest Encryption capability. My good friend Duncan Epping even posted a video recently demo'ing the feature and showing how easy it is to enable with just a couple of clicks. Just like VM Encryption which was introduced in vSphere 6.5, vSAN Encryption also requires a Key Management Interoperability Protocol (KMIP) Server which needs to be associated with your vCenter Server.

The really nice thing about this is that because both VM Encryption and vSAN Encryption uses the exact same encryption library, as long as you have a supported KMS (which you can find over on the VMware KMS HCL here, more are being certified and added), you can actually leverage the same KMS for both types of encryption across different vSphere Clusters with different requirements. For the ultra paranoid, you could even "double" encrypt by running Encrypted VMs on top of a vSAN Encrypted Datastore 😉

As with any feature that relies on 3rd party tools, it can take some time to acquire evaluational licenses. For those of you who would like to try out either vSAN or VM Encryption from a functional standpoint, you can quickly get started in under a few minutes by using the KMIP Docker Container that I had built last year. This is a great way to familiarize yourself with the workflow or even try out some of the new vSphere and vSAN APIs if you plan to automate the KMIP configuration or even deployment of encrypted VMs. Another great use case for this is doing live demos and all you need is just a couple of Nested ESXi VMs and a Docker Container Host like Photon OS or even just your laptop for example. Below are the instructions on how to get started.

Disclaimer: It is also very important to note that you should NOT be using this for any production workloads or any VMs that you care about. For actual production deployments of VM Encryption or vSAN Encryption, you should be leveraging a production grade KMIP Server as PyKMIP stores the encryption keys in memory and will be lost upon a restart. This will also be true even for the virtual appliance, so this is really for quick evaluational purposes, do NOT run anything important that you care about due to the risks mentioned earlier.

Step 1 - Setup the KMIP Docker Container and associate it with your vCenter Server. You can find the complete instructions here.


Step 2 - Enable vSAN Encryption by editing the vSAN Cluster configuration. You should see the KMS Cluster that you had configured from Step 1. If you only have a single existing diskgroup, you may need to select the "Allow Reduced Redundancy" as the existing diskgroup will be destroyed which may violate the existing availability policy.


At this point, you should see a new task kicked off to reformat the vSAN diskgroup and once that has completed, you have now successfully enabled vSAN Encryption! Pretty straight forward, right?


There is also a vSAN Health Check for vSAN Encryption which you can view by going to vSAN->Monitor->vSAN and under the "Encryption" check, it should show all green that your CPUs support the AES-NI instruction sets. You can also see that I have gone ahead and deployed a new VM which is now being secured by vSAN Encryption!

More from my site

  • KMIP Server Docker Container for evaluating VM Encryption in vSphere 6.5
  • New Nested ESXi 6.x Content Library 
  • Automating the new native VCSA bootstrap "Easy Install" in vSAN 6.6
  • Project USB to SDDC - Part 3
  • New vSAN Management 6.6 API / SDKs / CLIs

Categories // Docker, VSAN, vSphere 6.5 Tags // Docker, KMIP, PyKMIP, VSAN 6.6, vSAN Encyption, vSphere 6.5

Comments

  1. *protectedSanjay Dubey says

    04/26/2017 at 3:08 am

    Getting error. Client Certificate not found.

    Reply
  2. *protectedDan says

    09/10/2017 at 2:41 pm

    Hey William,

    I am getting the same error below:

    The "Reconfigure vSAN configuration" operation failed for the entity with the following error message.

    General vSAN error.
    The KMS cluster DOCKER-KMS does not have a client certificate or key configured

    Do i need to Establish Trust with the KMS and create a client side cert from vCenter and upload it to the KMIP Server Docker Container?

    I am running 6.5U1 + VSAN 6.6.1 as well.

    Thanks

    Reply
  3. *protectedNathan says

    07/01/2018 at 9:32 pm

    I'm getting the same error as Dan. Any ideas on a solution?

    Reply
  4. *protectedChristopher says

    10/24/2019 at 10:01 am

    I have a question about vSAN how can you carve up the datastore so that you can provide a slice to a specific tenant and prevent data leakage? For example if you have coke and pepsi as two different tenants and you want to carve out your vsan so that coke and pepsi have their own slice and to grantee your customers that neither tenant can see or access each others slice.

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...