Enable/disable VM encryption

VMware vSphere 6.5 added the possibility to encrypt VM files (such as .vmx and swap files) and virtual disks (VMDK), making the stored VM data more secure. For example, they are inaccessible with a simple data store browsing operation.

To allow VM encryption, the following components are needed:

• KMS: Generates and stores the keys needed to encrypt and decrypt the VMs. The KMS provides vCenter and ESXi with the necessary keys by using the KMIP protocol. Multiple KMS vendors are compatible, including HyTrust, Gemalto (SafeNet), Thales e-Security, CloudLink, and Vormetric. For a complete list, see the VMware Compatibility Guide (https://www.vmware.com/resources/compatibility/search.php?deviceCategory=kms&details=1&releases=354&page=1&display_interval=10&sortColumn=Partner&sortOrder=Asc). KMS configuration was described in Objective 1.3.
• vCenter Server: The only component that can log in to the KMS to obtain the keys and pass them to ESXi hosts is vCenter Server. The different KMS keys are not stored in the vCenter; it only keeps a list of key IDs.

No additional or specific hardware is required for the encryption/decryption operations, but processors with support of the AES-NI instruction set are recommended, in order to improve the performance. AES-NI should be enabled in the host BIOS.

VM encryption is controlled by VM storage policies (see Chapter 3, Configure and Administer vSphere 6.x Storage, for more information). To change the storage policy of a VM, follow this procedure:

1. From the vSphere Web Client, right-click on the VM to encrypt. Navigate to VM Storage Policies | Edit VM Storage Policies.

2. From the VM storage policy drop-down menu, select the VM Encryption Policy option to encrypt the VM:

3. When the encryption process has completed, the VM Hardware area in the VMs Summary tab will display the Encryption field that indicates which components are encrypted.

There are different recommendations when using encrypted VMs, but the most important are as follows:

• If PSC or vCenter are implemented as VMs, don't encrypt them.
• Never edit the .vmx files or .vmdk descriptor files of encrypted VMs; otherwise, the VMs will become unrecoverable.

To perform the preceding operations, you will need the required privileges, as follows:

• Cryptographic operations.Encrypt new
• Cryptographic operations.Decrypt
• Cryptographic operations.Register host (if the host encryption mode is not enabled)

Note that encrypted VMs can be a challenge for native backup programs, but there is a way to permit backup of the encrypted files in a clear format, to allow for indexing and granular restore. Several backup products already support this feature.

For more information, see the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-5E2C3F74-38C1-44C3-ABC5-C2C9353B9DC4.html).