One of the easiest ways to implement encryption controls in your VMware infrastructure is to activate vSphere and vSAN encryption. With vSphere encryption you can insure that all VM images are encrypted at rest, and with vSAN encryption you can set up virtual disks that are fully encrypted protecting any files that you place there. vSphere encryption was implemented in version 6.5, and vSAN encryption was implemented in version 6.6. All subsequent versions of vSphere and vSAN include these capabilities. (Note that you must be on the Enterprise or Platinum edition).
In both vSphere and vSAN the key manager is integrated using the open standard Key Management Interoperability Protocol, or KMIP. This means that any key management solution that supports the necessary KMIP interface can work as a vSphere or vSAN key manager. Our Alliance Key Manager solution implements this support, and is already in use by our VMware customers.
The most common question we get about these new encryption features is: How do I manage failover for the key managers?
This is a great question as VMware is a part of your critical infrastructure, and key management has to work with your high availability strategy. There are two parts to this question and lets dig into both of them:
Defining Key Managers to vSphere KMS Cluster
Key managers are defined to vSphere using the option to configure the KMS Cluster. A KMS Cluster configuration allows you to define more than one key manager. So you have a readily available path for failover. The first key manager configuration is the primary key manager, and all subsequent key managers in the KMS Cluster are failover key managers. vSphere will always use the first key manager you define and treat it as the primary.
In the event vSphere cannot connect to the primary key manager, it will try to connect to the second key manager in the KMS Cluster configuration. If that one fails it will try the third one, and so forth. The failover order is the order in which you define key managers in the KMS Cluster, so you should keep that in mind as you define the key managers.
While vSphere allows you to create multiple KMS Cluster definitions, very few VMware customers need multiple definitions. Just put your key manager definitions in a single KMS Cluster and you are set to go.
If you have failover clusters for VMware, be sure to define the KMS Cluster for the failover environment, too!
Implementing Key Mirroring in Alliance Key Manager
Now that you have failover key managers defined to the KMS Cluster, you need to activate key mirroring between the primary key manager and each failover key manager. This is really easy to do, and you don’t need any third party products to implement key mirroring with Alliance Key Manager. Real time, active-active key mirroring is built right into the solution. You can SSH into the key manager, provide credentials, and then take the menu option to set up the primary or secondary key server. Answer a few questions and you will have key mirroring enabled between two or more Alliance Key Manager servers.
Our Alliance Key Manager solution implements full support for vSphere and vSAN encryption key management and has everything you need to get started. Adding encryption to your VMware environment is easy. VMware did a great job with this implementation of key management support and you can easily realize the benefits of protecting VMware infrastructure.
Alliance Key Manager documentation for vSphere can be found here.
You can download Alliance Key Manager and get started right away. Here is where to go to start the process.
Townsend Security will help you get started with vSphere and vSAN encryption. There is no charge for the evaluation or evaluation licenses and you will get access to the Townsend Security support team to ensure you have a successful project.