vSAN Encryption Explained
In your vSAN environment, you have the option to encrypt data while it's being transmitted and also encrypt data while it's stored in the vSAN datastore. Data-in-transit encryption secures data as it travels between hosts within the vSAN cluster, ensuring protection during transit. Meanwhile, data-at-rest encryption safeguards data stored on storage devices within the vSAN datastore, providing security measures even if a device is taken out of the cluster.
Benefits of vSAN Encryption
- Provides data-at-rest encryption for all objects on vSAN Datastore,
- Settings can be created for each of the clusters seperately,
- Supports hybrid, all-flash, streched and two-node clusters,
- No need for self-encrypting drives,
- Works perfectly with all other vSAN features.
vSAN Data-In-Transit Encryption
vSAN offers the capability to encrypt data while it's in transit, traversing between hosts within your vSAN cluster. This encryption process, once activated, secures all the data and metadata traffic between hosts, employing AES-256 bit encryption for enhanced security. It's important to note that data-in-transit encryption is distinct from data-at-rest encryption, and each can be independently enabled or disabled.
Key characteristics of vSAN data-in-transit encryption include the implementation of forward secrecy, ensuring the confidentiality of data even if encryption keys are compromised in the future. Moreover, traffic between data hosts and witness hosts, as well as file service data traffic and inter-host connections for vSAN file services, are all encrypted. The encryption keys used are dynamically generated by each host upon connection establishment, eliminating the need for a separate key management server.
Authentication mechanisms are also in place, with each host being authenticated upon joining the cluster, thereby ensuring connections are established only with trusted hosts. Furthermore, when a host is removed from the cluster, its authentication certificate is revoked. Overall, vSAN data-in-transit encryption operates as a cluster-wide setting, encrypting all data and metadata traffic as it moves across hosts within the vSAN environment.
vSAN Data-At-Rest Encryption
Just like dta-in-transit encryption, vSAN offers the capability to encrypt data while it's at rest within the vSAN datastore.
This encryption type ensures that data stored on storage devices is encrypted, even in scenarios where a device is removed from the cluster, thus enhancing overall data security.
Before enabling data-at-rest encryption on vSAN cluster, it's important to prepare vsan environment accordingly. This involves setting up an external Key Management Server (KMS) or utilizing the vSphere Native Key Provider.
To implement data-at-rest encryption, vCenter Server coordinates with the external KMS, which generates and stores encryption keys. These keys are then distributed to ESXi hosts by vCenter Server, ensuring robust encryption throughout the vSAN cluster. It's crucial to note that while vCenter Server manages the distribution of key IDs, it does not store the actual KMS keys, maintaining an additional layer of security.
Now let's see how the key request - create - share and use process works. The most important thing to configure before starting vSAN encryption is adding KMS to vcenter server. This process is defined here.
Key generation process:
- vCenter Server requests key encryption key (KEK) from KMS. Requested key is AES-256 and only the ID of KEK is stored in vCenter Server.
- vCenter Server shares the KEK ID with all hosts after receiving it from KMS.
- Hosts start requesting KEKs from KMS with the ID received from vCenter Server.
- Hosts start to create data encryption keys (DEK) in order to use it on the cache and capacity drives of the cluster.
- Whole vSAN datastore is now encrypted with DEKs.
After encrypting the datastore, it is important to monitor the encryption status within the vSphere environment to ensure that data-at-rest encryption remains enabled and operational. If created keys expires the process needs to be followed from top to bottom.
Usefull Links:
What's Your Reaction?