VMware vSphere

 View Only
  • 1.  How to see if a VMDK is encrypted or not

    Posted Dec 21, 2023 07:24 AM

    Hello,

    Environment: vSphere 8.0 U1.
    Question:  How can I see if a VMDK has been encrypted? (VMware level virtual disk encryption)

    For testing purposed, I created a new Windows 11 VM via the "add new VM wizard and chose Windows 11 64bit as the OS. It added the vTPM by itself and I just went through the wizard with the defaults.

    Then, in vCenter, in the VM's "Virtual Machine Details" pane, it says "Encrypted with native key provider". It also shows a small lock icon which, when I hover the mouse-pointer over it, it displays "VM configuration files are encrypted.".

    If I take that last statement literally, only the config files are encrypted and the VMDK is not.

    I'm having a discussion with folks that say "don't take that statement with a grain of salt, everything is encrypted incl. the VMDK".

    So, how do I verify/prove that the virtual disk, the VMDK, is indeed encrypted or not?
    I cannot find the answer to this question in the documentation and if I google it, I only get replies on how to enable encryption etc. but that is NOT what I'm asking.

    Note: I am aware of the PowerCLI module for VM Encryption on GitHub, but so far, all I get is this:

    get-vm “Win11-Test” | Get-VMEncryptionInfo
    
    Name                           Value
    ----                           -----
    profile
    connectState                   connected
    name                           Win11-Test
    disks                          {}
    keyId                          VMware.Vim.CryptoKeyId

     

    Can I interpret the value of "disks" being empty, and of and "keyID" not showing an ID, that this VM's single VMDK is not encrypted?

    Tnx



  • 2.  RE: How to see if a VMDK is encrypted or not

    Posted Dec 21, 2023 11:00 AM

    Hello,


    In my humble opinion everything depends on which storage policy is used (mybe as default) and the product license level since according to the documentation to encrypt ".VMDK" files you need the right one for the purpose.


    I mean, even an essential KIT allows the use of a Key provider (native or otherwise) so adding a vTPM module but this does not automatically produce encrypted ".vmdk" files and it doesn't happen "automatically" even if you have adequate licenses (I usually use Enterprise plus level for my hosts) unless you deliberately "set things up for this to happen as default" (or by specific choice per VM).


    I could also be wrong but I also interpret "disk as empty = non encrypted" but you can always try with a test VM and see what happens.


    Regards,
    Ferdinando



  • 3.  RE: How to see if a VMDK is encrypted or not

    Posted Dec 21, 2023 01:19 PM

    Ciao Fernandino,

    The system runs Enterprise Plus.

    I created a second test VM and gave it the factory default storage policy "VM Encryption Policy" which, according to it's description, encrypts the disk aswell.

    In vCenter, in the VM's "Virtual Machine Details" pane, it says "Encrypted with native key provider". It also shows a small lock icon which, when I hover the mouse-pointer over it, it displays "VM configuration files are encrypted."
    So that is exactly the same as with the first test VM, which has the NFS datastore (factory) default policy.

    This is the PowerCLI output:

     

    get-vm “Win11-Test2” | Get-VMEncryptionInfo
    
    Name                           Value
    ----                           -----
    profile                        VM Encryption Policy
    connectState                   connected
    name                           Win11-Test2
    disks                          {}
    keyId                          VMware.Vim.CryptoKeyId

     

    So either that PowerCLI Module, which was updated on GitHub about 2 years ago, does not work with 8.0 U1 (on NFS storage), otherwise I have no idea why.



  • 4.  RE: How to see if a VMDK is encrypted or not

    Posted Dec 21, 2023 06:05 PM

    Hello,


    In truth, I used the method you tried to use some time ago because I based it on my memory of the time, which is why I told you I could be wrong.
    However, what I can tell you is that simply adding the vTPM module to a VM does not imply in principle or by default that the disk drives are also encrypted unless explicitly desired.


    However, what I can tell you is that simply adding the vTPM module to a VM does not imply in principle or by default that the disk drives are also encrypted as well, unless explicitly desired via "storage policy". Usually the vCenter object says if one or more disk drives are encrypted and the information is also contained in their corresponding "file descriptor", at least in my context with "traditional storage" it works like this.


    Regards,
    Ferdinando



  • 5.  RE: How to see if a VMDK is encrypted or not
    Best Answer

    Posted Dec 22, 2023 01:36 AM

    Hi,

    There are a few examples in this posting, midway through, to query which disks are encrypted. Hope it helps.

    https://blogs.vmware.com/vsphere/2016/12/powercli-for-vm-encryption.html



  • 6.  RE: How to see if a VMDK is encrypted or not

    Posted Dec 22, 2023 10:45 PM

    Thanks Chris,

    One of the command in that article is exactly what I was looking for:  "Get-VM | Get-HardDisk Select Parent,Name,Encrypted"