![]() This set of files includes but is not limited to the NVRAM, VSWP, and VMSN files. Most virtual machine files, in particular, guest data that are not stored in the VMDK file, are encrypted. VSphere Virtual Machine Encryption supports encryption of virtual machine files, virtual disk files, and core dump files. The virtual machine is encrypted and written to storage.The KEK is used to wrap the DEK generated by the ESXi host, and the ciphertext from the key provider is stored alongside the encrypted data.The ESXi host generates a DEK to encrypt the virtual machine disks.Both the KEK ciphertext and KEK plaintext are returned to the Trusted Host. The KEK is wrapped (encrypted) with the primary key that is configured on the key provider. The Key Provider Service validates the attestation token and creates a KEK to be sent to the ESXi host.If an attestation token is not already available to the ESXi host, it requests one from the Attestation Service.The virtual machine creation request is sent to the ESXi host.The vCenter Server of the Trusted Cluster adds the trusted key provider to the virtual machine ConfigSpec.The vCenter Server of the Trusted Cluster checks if the default trusted key provider is accessible to the ESXi host where the encrypted virtual machine is to be created.VSphere Trust Authority trusted key provider operates as follows. ESXi can then decrypt the internal keys as needed. If a host reboots, vCenter Server requests the KEK with the corresponding ID from the key server and makes it available to ESXi. ESXi uses the KEK to encrypt the internal keys, and stores the encrypted internal key on disk.vCenter Server stores only the ID of each KEK, but not the key itself. vCenter Server requests keys from the key server (KMS).The ESXi host generates and uses internal keys to encrypt virtual machines and disks.Standard key provider operates as follows. Depending on the type of key provider, different methods are used to create and manage the DEK and KEK. The KEK is encrypted using the AES256 algorithm and the DEK is encrypted using the XTS-AES-256 algorithm. The KEK is provided by a key server, and encrypts (or "wraps") the DEK. Briefly, an ESXi host generates a DEK to encrypt virtual machines and disks. VSphere uses two levels of encryption in the form of a Key Encryption Key (KEK) and a Data Encryption Key (DEK). ![]() vSphere Encryption Keys and Key Providers VM Encryption is a per-VM encryption and vSAN is a datastore level encryption. VSphere Virtual Machine Encryption and vSAN use the same encryption libraries but they have different profiles. For more information about using encryption on a vSAN cluster, see Administering VMware vSAN documentation. VSphere Virtual Machine Encryption works with any supported storage type (NFS, iSCSI, Fibre Channel, direct-attached storage, and so on), including VMware vSAN. What Storage Does vSphere Virtual Machine Encryption Support Prerequisites and Required Privileges for Encryption Tasks. Important: ESXi Shell users also have cryptographic operation privileges.
0 Comments
Leave a Reply. |