With threats to the Datacenter all to common, VMware have provided an option to encrypt VMs. This not only helps deal with unauthorized external access but internally also. As of vSphere 6.5, there is full support for VM encryption. This includes the VMDKs and VM files such as the VMX.
Presently VM encryption requires a 3rd party KMS (Key Management Server) connected to the vCenter server. Rather than VMware providing the KMS, you choose your own which means VMware have little say in the vendor you use as long as certain criteria are met.
VMs will be encrypted by an internal ESXi encryption key then further encrypted by your KMS. Only users with access to the KMS keys will have access to the VM data. A new vCenter role named “Administrator – No Encryption and Key Access” exists to allow users to have full admin access with the exception of key management.
Array based encryption vs VM Encryption & Encrypted vMotion
One big selling point of VM Encryption is that if you move your VMs between Clouds (vCloud Air etc) then the VM will always be encrypted and no Cloud provider will have access to the keys. Also, if you vMotion an encrypted VM, the datastream used as part of this process is also encrypted.
Performance
Will VM Encryption impact performance? – Encryption always affects performance in one way or another however VMware state that new Intel processors due out late 2016 will perform much better and this will assist with the performance of Encrypted VMs.
Manageability
Encryption will be managed via Storage Policies. This is beneficial because:
- The VM is encrypted outside the guest VM, so the VM does not know it is encrypted
- The guest has no access to the encryption keys
- Policies are OS independent
- No guest modifications required
vCenter server will not be supported for encryption because HA is currently unable to reboot it onto other hosts in a cluster.
All types of datastore (vSAN, VMFS, vVOLs, NFS) are supported for encrypted VMs.
Backups
If using a hot-add based backup solution. The backup software will have an encrypted backup of the VM, so it will be up to the backup vendor to maintain encryption.
