vSphere 6.5 VM Encryption
I thought I'd delve into VM Encryption and see how it plays out. Do you need full certificate services, how is it enabled, is it easy to use and can you still use the datastore browser? Does it impact Veeam Backup & Recovery - what are the caveats operationally etc. Should I enable it everywhere?!!
So, how do I enable VM Encryption. With the VCSA 6.5 I've deployed I get a number of out of the box VM Storage Policies:
Hey, there's one for VM Encryption! Let's take a closer look:
So, I'll deploy a VM and select this Policy on the way, and then I'll apply it to an already running VM and see how I get on. When you deploy from a template you get to select the storage policy:
But just after kicking this off you get THIS nice little error:
What?!!!! Ok, so deploy first and encrypt later. Not very encouraging! Let's try that next. But oh dear, during template deployment I select the customize AND power on options. Can I apply this after the fact?
So lesson is - if you want to encrypt a VM from a deployment, don't select the encrypt policy, don't choose to power on the VM but do choose to apply the customization policy....
So, I next tried to apply the storage encryption policy to the deployed but powered off VM:
Easy, huh?!!
Oh dear! Crapola - caught again. What's the "default KMS cluster"?!!!
So far I'm just getting errors. I don't think VMware implemented this at all, they were just teasing!!
Lucky for us there is a document that deals with this:
So we can set this and we're good to go?! You need to setup a KMS, the following article describes the options better:
Now for my setup, I have a one Host cluster so let's configure that as the default KMS thingy.
I tried using these when adding a new KMS:
But now get this error:
Not as easy as I thought!! So, we need to establish a trust between vCenter and the new KMS service. We select "Establish Trust with KMS" and select one of these fine options:
Right, I'm starting to smell something fishy here - the documentation for each of those options says "oh if you use hytrust"...or " if you use safenet"..."vormetric"..."Thales"....etc...etc...are you telling me I'm missing something here? Can I use a Windows KMS store?! Isn't this all meant to be self contained inside vCenter?!! AAAAggghhh..!!
The following KB really shows the problem:
Yerp, I don't think using this is possible out of the box. You need a third party solution. I'll go off and have a look and see if any are free (!).
Well, I don't see any open source or free options anywhere there...!!
I did a bit more digging and a great article is here that gives a run down on why a KMS server is required:
William Lam published a test docker KMS to use in labs and check out the vm encryption feature (not in production mind you as it wipes its keys when rebooted!)
Guess it pays to keep in touch with all the new features as I'd missed a lot of this! So, let's deploy a windows kms server and install docker!
Ah No, it installs GIT for windows. I'm not a developer!! You need to enable "Expose hardware assisted virtualization to the guest" in the KMS VM too before launching the Docker Quickstart Terminal. This will download any updated ISO's it needs and setup the virtualbox for Docker in Windows!! Turn off the windows firewall if you get 127.0.0.1 port errors and retry.
Now we can use Mr. Lam's trick to get us a KMS!
Nice one Sir! Now, I can ping OUT from Docker but no one is allowed connect in. This is because we're running Docker INSIDE VirtualBox INSIDE Windows! So, what you gotta do is edit the VirtualBox configuration to allow TCP port 5696 be forwarded from the Windows Host inside VirtualBox to the Docker container! Double Click on the Oracle VM VirtualBox desktop icon and edit the settings as follows under default,Network, Adapter 1, Advanced, Port Forwarding:
I've added an extra rule for KMS here, leave the IPs blank. Now I can go to vCenter and have some fun:
Instead of getting KMS connectivity errors I get a certificate trust popup!!
So now I can click Trsut I get a good KMS as shown below:
So, that's just for test, it's not a production suitable KMS but it's enough to play with and to test VM encryption. So, I've two VMS, one running and the other deployed but shutdown (customisation scripts haven't launched yet on it). Let's try applying the Storage Policy for encryption on both. I get an error applying it to the powered on VM, the powered off one does apply but takes a while.
The VM encryption process took just over 2 minutes. I'm sure larger VMs will take longer.
The Datastore Browser shows the following view:
Don't see much going on here. I heard you can't take snapshots of encrypted VMs but the screen shot above was taken in the middle of a Veeam backup.
The backup worked fine. I tried to take a snapshot but got this error:
NOT choosing the guest memory option and the snapshot is taken fine. Now I'll delete the bugger and restore via VMware and see what happens.
So it says the VM is compliant against the policy and there's no indication of any task to reencrypt it again:
I'm not sure if I believe it however! If it's stored unencrypted in the backup solution, wouldn't it have to reencrypt it again once restored? I know I encrypted the backup myself but it's not integrated with VMware that way. Is this a false positive based on the backed up state? Well, what about powering down the VM and trying to attach it's disks to another VM?
Even after changing the policy on the other VM to allow disk encryption it won't let me click OK! And it recognises the fact the disk is encrypted. Brilliant!
Looks good to go so. I wouldn't recommend trying to restore a disk to a different vm without unencrypting it first!
So, that's all I'll do today. Hope you found it interesting. Always good to set up a lab and see for yourself how it all fits together. As always forget using the HTML 5 client for any of this......