The aim of this guide is to explain the implementation details of vSphere Native Key Provider and then perform a virtual machine encryption in the OVHcloud Hosted Private Cloud powered by VMware solution.
Find out how to implement virtual machine encryption using vSphere Native Key Provider.
Requirements
- a Hosted Private Cloud powered by VMware solution
- You must be logged in to your OVHcloud Control Panel
- access to the vSphere management interface
- you must have vSphere version and hosts Version 7.0, Update 2 minimum
- to date, the replication solution Zerto is not compatible with encryption (encrypted VMs cannot be replicated)
Introduction
vSphere Native Key provider allows you to encrypt virtual machines, enable vTPM in virtual machines, or enable data-at-rest encryption on vSAN, without the need for an external KMS (Key Management Server).
You can export the vSphere Native Key provider key and import it again on another cluster.
In detail, when encrypting a virtual machine, the ESXi host generates a DEK key, which will be used to encrypt the virtual machine's files and its data. The DEK key is encrypted using the key generated by vSphere Native Key provider. This encrypted DEK is stored with the virtual machine. You can find more details on VMware encryption by referring to the official documentation here:
- VMware vSphere Native Key Provider Overview
- VMware documentation of the encryption process on vSphere
- VMware vSphere Native Key Provider documentation
Instructions
Authorizing a user to administer encryption on a Hosted Private Cloud cluster powered by VMware
Log in to the OVHcloud Control Panel:
- Click on
Hosted Private Cloud
. - Click
VMware
. - Select your cluster.
- Go to
Users
. - Click the
...
andEdit
.
Enable Encryption Management
and click Confirm
.
Wait until the change window disappears.
Encryption management rights have been changed, as can be seen in the Encryption management
column.
Creating a vSphere Native Key Provider
We will create the encryption key vSphere Native Key Provider. This key can be used to encrypt files on a virtual machine. If you want to add a virtual device vTPM, it is mandatory to encrypt the VM.
Log in to the vSphere interface. If you need help with this, please refer to our guide on Accessing the vSphere interface (/pages/cloud/private-cloud/vsphere_interface_connexion).
Click on the root of the cluster
in the top left-hand corner, then click on the Configure
tab and choose Key Providers
.
Click the ADD
button and choose Add Native Key Provider
from the menu.
Type a name in Name
.
Use key provider only with TPM protected ESXi hosts (recommended)
box.Click ADD KEY PROVIDER
.
Click the BACK-UP
button on the left to back up the key outside the cluster.
Select the checkbox on the left to password protect the backup.
Type a password
and confirm it
. Then select the I have saved the password in a secure place
box and click BACK UP KEY PROVIDER
.
The key can now be used to encrypt virtual machines.
Encrypting of a virtual machine
We will encrypt a virtual machine and its data.
Right-click on the virtual machine
and from the VM Policies
menu choose Edit VM Storage Policies
.
From the VM Storage Policies
drop-down menu, choose VM Encryption Policy
and click OK
.
In the virtual machine properties, click the Summary
tab. You will see a padlock
followed by the text Encrypted with a native key provider
indicating that the VM is encrypted.
Migrating an existing encryption solution to vSphere Native Key provider
Some OVHcloud customers use an encryption solution with external KMS keys. Encryption can be migrated to vSphere Native Key Provider.
Follow the instructions below to migrate an encrypted virtual machine with a key generated by an external KMS named cluster to a vSphere Native Key Provider key named MY-NKP.
In the vSphere console for your cluster.
- Click on the
cluster root
in the top left-hand corner. - Go to the top in the
Configure
tab. - Click
Key Providers
in the vertical bar. - Select the
vSphere Native Key provider
key. - Click
SET AS DEFAULT
.
Confirm your choice by clicking SET AS DEFAULT
.
The vSphere Native Key Provider key is then set by default.
Click the virtual machine
and go to Summary
tab. This virtual machine uses the standard key provider
. We will change the encryption of this virtual machine.
In the vSphere client, right-click on the virtual machine
that needs to be encrypted again. In the VM Policies
menu entry, choose Re-encrypt
.
The new encryption takes a few milliseconds because the operation performed is only a renewal of the encryption of the DEK key. This key is now encrypted using the new vSphere Native Key Provider key.
Click the virtual machine
on which the encryption has been changed and go to the Summary
tab. You can see that encryption uses a native key provider next to the padlock.
Encrypting a Datastore of a vSAN cluster
You can encrypt the Datastore of a vSAN cluster instead of the virtual machines.
Through your vSphere interface, go to your vSAN cluster
on the right, select the Configure
tab, scroll to Data Services and click EDIT
.
Enable Data-At-Rest encryption
, check Wipe residual Data
, choose your Key Provider
, and click APPLY
.
Go back to Data Services and you will see that Data encryption at rest is enabled with your key.
Go further
For more information and tutorials, please see our other Hosted Private Cloud support guides or explore the guides for other OVHcloud products and services.