One of biggest feature introduced in the upcoming vSAN 6.6 release is the native vSAN Data-at-Rest Encryption capability. My good friend Duncan Epping even posted a video recently demo'ing the feature and showing how easy it is to enable with just a couple of clicks. Just like VM Encryption which was introduced in vSphere 6.5, vSAN Encryption also requires a Key Management Interoperability Protocol (KMIP) Server which needs to be associated with your vCenter Server.
The really nice thing about this is that because both VM Encryption and vSAN Encryption uses the exact same encryption library, as long as you have a supported KMS (which you can find over on the VMware KMS HCL here, more are being certified and added), you can actually leverage the same KMS for both types of encryption across different vSphere Clusters with different requirements. For the ultra paranoid, you could even "double" encrypt by running Encrypted VMs on top of a vSAN Encrypted Datastore 😉
As with any feature that relies on 3rd party tools, it can take some time to acquire evaluational licenses. For those of you who would like to try out either vSAN or VM Encryption from a functional standpoint, you can quickly get started in under a few minutes by using the KMIP Docker Container that I had built last year. This is a great way to familiarize yourself with the workflow or even try out some of the new vSphere and vSAN APIs if you plan to automate the KMIP configuration or even deployment of encrypted VMs. Another great use case for this is doing live demos and all you need is just a couple of Nested ESXi VMs and a Docker Container Host like Photon OS or even just your laptop for example. Below are the instructions on how to get started.
Disclaimer: It is also very important to note that you should NOT be using this for any production workloads or any VMs that you care about. For actual production deployments of VM Encryption or vSAN Encryption, you should be leveraging a production grade KMIP Server as PyKMIP stores the encryption keys in memory and will be lost upon a restart. This will also be true even for the virtual appliance, so this is really for quick evaluational purposes, do NOT run anything important that you care about due to the risks mentioned earlier.
Step 1 - Setup the KMIP Docker Container and associate it with your vCenter Server. You can find the complete instructions here.
Step 2 - Enable vSAN Encryption by editing the vSAN Cluster configuration. You should see the KMS Cluster that you had configured from Step 1. If you only have a single existing diskgroup, you may need to select the "Allow Reduced Redundancy" as the existing diskgroup will be destroyed which may violate the existing availability policy.
At this point, you should see a new task kicked off to reformat the vSAN diskgroup and once that has completed, you have now successfully enabled vSAN Encryption! Pretty straight forward, right?
There is also a vSAN Health Check for vSAN Encryption which you can view by going to vSAN->Monitor->vSAN and under the "Encryption" check, it should show all green that your CPUs support the AES-NI instruction sets. You can also see that I have gone ahead and deployed a new VM which is now being secured by vSAN Encryption!
Sanjay Dubey says
Getting error. Client Certificate not found.
Dan says
Hey William,
I am getting the same error below:
The "Reconfigure vSAN configuration" operation failed for the entity with the following error message.
General vSAN error.
The KMS cluster DOCKER-KMS does not have a client certificate or key configured
Do i need to Establish Trust with the KMS and create a client side cert from vCenter and upload it to the KMIP Server Docker Container?
I am running 6.5U1 + VSAN 6.6.1 as well.
Thanks
Nathan says
I'm getting the same error as Dan. Any ideas on a solution?
Christopher says
I have a question about vSAN how can you carve up the datastore so that you can provide a slice to a specific tenant and prevent data leakage? For example if you have coke and pepsi as two different tenants and you want to carve out your vsan so that coke and pepsi have their own slice and to grantee your customers that neither tenant can see or access each others slice.