vSAN1

 View Only
  • 1.  VSAN encryption question

    Posted May 03, 2023 03:01 AM

    Hi All,

    I have few questions.Please someone help me on this regard.

    - 1) Before enabling encryption,we will need to setup/integrate the KMS server with vcenter server.After enabling the vSAN Encryption at Rest or In Transit from the VSAN service level, we can utilize the VSAN encryption on the complete VSAN data store ?. Like VM encryption policy,can we use VSAN encryption only to the selected  VSAN policies? For example  5 VSAN policies with encryption and 5 policies without VSAN encryption.

    If that is possible(5 VSAN policies with encryption and 5 policies without VSAN encryption),will there be any impact on the current PROD VM?(after enabling  VSAN Encryption at Rest or In Transit from the VSAN service level)


    2)Can we enable VSAN encryption on the new VSAN policy level(example – VSAN GOLD POLICY) without enabling VSAN encryption in the core services level ? It will not work right?


    3) VM Encryption method is only for VMs and cannot use the same VM Encryption policy for VSAN file services.



  • 2.  RE: VSAN encryption question

    Posted May 03, 2023 06:23 AM

    Hello  

    1) Before enabling encryption,we will need to setup/integrate the KMS server with vcenter server.After enabling the vSAN Encryption at Rest or In Transit from the VSAN service level, we can utilize the VSAN encryption on the complete VSAN data store ?.
    If you are using vSAN Data at Rest is a Datastore wide setting (all the files inside the vSAN cluster will be encrypted) and if you are using vSAN Data in Transit encryption is a cluster wide setting, all communication between hosts in the cluster are encrypted. 

    Like VM encryption policy,can we use VSAN encryption only to the selected  VSAN policies? For example  5 VSAN policies with encryption and 5 policies without VSAN encryption.
    No, Basically the datastore is encrypted or no, there is no policy to choose. 


    2)Can we enable VSAN encryption on the new VSAN policy level(example – VSAN GOLD POLICY) without enabling VSAN encryption in the core services level ? It will not work right?
    No, as discussed, it's a datastore wide.
    What you can do is encrypt VMs or VM disks that reside inside the vSAN datastore using VM encryption.

    3) VM Encryption method is only for VMs and cannot use the same VM Encryption policy for VSAN file services.
    Correct, same as before. vSAN is either encrypted or not.

    Sources:

    vSAN Data at Rest
    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-39717910-373F-4F71-98AE-D45C0ACBA061.html
    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-37F9636A-7481-4486-AAA9-E0A1A49343A1.html

    vSAN Data in Transit
    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-10099331-92E7-41AF-BCAA-88DB4B4A4B7B.html
    VM Encryption

    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-7DE1ED8F-880B-421E-B27B-5AAA58454AFA.html




  • 3.  RE: VSAN encryption question

    Posted May 04, 2023 07:02 PM

    Thanks for your prompt response.

    I'm testing on the lab for VM encryption storage policies. first

    Steps:-

    1) Created a default Native key provider.

    2) While creating the VM encryption policy(all data store are visible - I have 5 shared datastores and all of them are compatible there)

    out of 5 Datastore,I will need to tag this storage policy to "New-VM-encryption-policy" to "ISCSI-ENCR-DATASTORE",so that the complete DS will be encrypted.Am i right or incorrect?

    May I know how to do this task?

     



  • 4.  RE: VSAN encryption question

    Posted May 05, 2023 06:15 AM

    Hello, to clarify:
    The VM encryption policy will encrypt the VMDK and other VM files but not the datastore.
    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-8D7D09AC-8579-4A33-9449-8E8BA49A3003.html

    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-06E45092-22DD-4064-AF55-FB5D0FD4E588.html

    As a rule of thumb:
    - vSAN Encryption --> Encrypts the whole VSAN  (Same as Array encryption in traditional storage arrays)
    - VM Encryption --> requires a VM storage policy --> Only encrypts the VMs that have that storage policy applied.




  • 5.  RE: VSAN encryption question



  • 6.  RE: VSAN encryption question

    Posted May 17, 2023 07:35 PM

    Thank you.



  • 7.  RE: VSAN encryption question

    Posted May 17, 2023 07:35 PM

    Thanks for the response.