How Virtual Machine Encryption Protects a Datacenter

How Virtual Machine Encryption Protects a Datacenter

With vSphere virtual machine encryption, you can create encrypted virtual machines and encrypt existing ones. Because all virtual machine files with sensitive information are encrypted, the virtual machine is protected. Only administrators with encryption privileges can perform encryption and decryption tasks.

What Keys are Used

Two types of keys are used for encryption.

■

The ESXi host generates and uses internal keys to encrypt virtual machines and disks. These keys are used as the disk encryption key (DEK) and are XTS-AES-256 keys.

■

The key management server (KMS) sends keys to the vCenter Server upon request. These keys are used as the key encryption key (KEK) and are AES-256 keys. vCenter Server stores only the ID of each KEK, but not the key itself.

■

ESXi hosts use the KEK to encrypt their internal keys, and store only the encrypted internal keys on disk, but not the KEK itself. When an ESXi host reboots, vCenter Server requests the necessary KEKs by sending the corresponding IDs to the KMS, and upon receipt, make the KEKs available to the ESXi host, which can then decrypt its internal keys as needed.

What Is Encrypted

Virtual machine encryption supports encrypting virtual machine files, virtual disk files, and core dump files.

Virtual Machine Files

Most virtual machine files, in particular guest data that are not stored in the VMDK file, are encrypted. This set of files includes but is not limited to the NVRAM (memory), VSWP (swap), and VMSN (snapshot) files. The key that vCenter Server retrieves from the KMS unlocks an encrypted bundle in the VMX file that contains internal keys and other secrets.

If you use the vSphere Web Client to create an encrypted virtual machine, all virtual disks are encrypted by default. For other encryption tasks, such as encrypting an existing virtual machine, you can encrypt and decrypt virtual disks separate from virtual machine files.

Note You cannot associate an encrypted virtual disk with an unencrypted virtual machine.

Virtual Disk Files

Data in an encrypted virtual disk (VMDK) file are never written in cleartext to storage or physical disk, and is never transmitted over the network in cleartext. The VMDK descriptor file is mostly cleartext, but contains a key ID for the KEK and the internal key (DEK) in the encrypted bundle.

You can use the vSphere API to perform either a shallow recrypt operation with a new KEK, or a deep recrypt operation with new internal keys.

Core Dump Files

Core dumps on an ESXi host that has encryption mode enabled are always encrypted. You can decrypt and password protect ESXi core dumps using the crypto-util command-line tool on the ESXi host.

Note Core dumps on the vCenter Server (Appliance) are not encrypted. Be sure to protect access to all vCenter Server system.

What Is Not Encrypted

Some files that are associated with a virtual machine are not encrypted or partially encrypted.

Log Files

Log files are not encrypted because they should not contain sensitive data.

Virtual Machine Configuration Files

Most of the virtual machine configuration information, stored in the VMX and VMSD files, is not encrypted. Information about the KMS and the key ID is visible in those files.

Virtual Disk Descriptor File

To support disk management without a key, most of the virtual disk descriptor file is not encrypted.

Who Can Perform Cryptographic Operations

Only users who are assigned the Cryptographic Operations privileges can perform cryptographic operations. The privilege set is fine grained; see the vSphere Security guide. The default Administrator system role includes all Cryptographic Operations privileges. A new system role, No Cryptography Administrator, supports all Administrator privileges except for the Cryptographic Operations privileges.

You can create additional custom roles, for example, to allow a group of users to encrypt virtual machines but to prevent them from decrypting virtual machines.

For a full list of privileges, see section “Cryptographic Operations Privileges” in the vSphere Security manual.

How Can I Perform Cryptographic Operations

The vSphere Web Client supports many cryptographic operations. For other tasks, you must use the API.

Interfaces for performing cryptographic operations

Interface

Operations

Information

vSphere Web Client

Create encrypted virtual machines

Encrypt and decrypt virtual machines

The vSphere Security guide.

vSphere Web Services SDK

Create encrypted virtual machines

Encrypt and decrypt virtual machines

Perform a deep recrypt of virtual machines
(use a different KEK and DEK).

Perform a shallow recrypt of virtual machines
(use a different KEK).

This chapter.

crypto-util

Decrypt encrypted core dumps, check whether files are encrypted, and perform other management tasks directly on the ESXi host,

Command-line help and the vSphere Security guide.

Note You cannot associate an encrypted virtual disk with an unencrypted virtual machine.

Note Core dumps on the vCenter Server (Appliance) are not encrypted. Be sure to protect access to all vCenter Server system.

Interfaces for performing cryptographic operations
Interface	Operations	Information
vSphere Web Client	Create encrypted virtual machines Encrypt and decrypt virtual machines	The vSphere Security guide.
vSphere Web Services SDK	Create encrypted virtual machines Encrypt and decrypt virtual machines Perform a deep recrypt of virtual machines (use a different KEK and DEK). Perform a shallow recrypt of virtual machines (use a different KEK).	This chapter.
crypto-util	Decrypt encrypted core dumps, check whether files are encrypted, and perform other management tasks directly on the ESXi host,	Command-line help and the vSphere Security guide.

Help us improve this information. Send feedback to [email protected].