Enabling virtual machine encryption with vSphere Native Key Provider (EN)

Find out how to implement virtual machine encryption with vSphere Native Key Provider

Last updated 26th January 2023

Objective

The aim of this guide is to explain the implementation details of vSphere Native Key Provider and then perform a virtual machine encryption in the OVHcloud Hosted Private Cloud powered by VMware solution.

Find out how to implement virtual machine encryption using vSphere Native Key Provider.

OVHcloud provides services for which you are responsible, with regard to their configuration and management. It is therefore your responsibility to ensure that they work properly.

This guide is designed to assist you as much as possible with common tasks. Nevertheless, we recommend contacting a specialist provider if you experience any difficulties or doubts when it comes to managing, using or setting up a service on a server.

Requirements

Your Hosted Private Cloud powered by VMware cluster may not be in version 7.0 Update 2. If so, please contact support to upgrade your infrastructure.

Presentation

vSphere Native Key provider allows you to encrypt virtual machines, enable vTPM in virtual machines, or enable data-at-rest encryption on vSAN, without the need for an external KMS (Key Management Server).

You can export the vSphere Native Key provider key and import it again on another cluster.

In detail, when encrypting a virtual machine, the ESXi host generates a DEK key, this key will be used to encrypt the virtual machine's files and therefore its data. The DEK key is encrypted using the key generated by vSphere Native Key provider. This encrypted DEK is stored with the virtual machine. You can find more details on VMware encryption by referring to the official documentation in the [Go further](#gofurther) section of this guide.

Instructions

Authorising a user to administer encryption on a Hosted Private Cloud cluster powered by VMware

Log in to the OVHcloud Control Panel, click on Hosted Private Cloud and choose your cluster. Go to Users and click the ...

00 add right from manager 01

Click Edit.

00 add right from manager 02

Enable Encryption Management and click Confirm.

00 add right from manager 03

Wait until the change window disappears.

00 add right from manager 04

Encryption management rights have been changed, as can be seen in the Encryption management column.

00 add right from manager 05

Creating a vSphere Native Key Provider

We will create the encryption key vSphere Native Key Provider. This key can be used to encrypt files on a virtual machine. If you want to add a virtual device vTPM, it is mandatory to encrypt the VM.

Log in to the vSphere interface. If you need help with this, please refer to our guide on Accessing the vSphere interface (https://docs.ovh.com/es/private-cloud/instalar_el_vsphere_client/).

Click on the root of the cluster in the top left-hand corner, then click on the Configure tab and choose Key Providers.

01 Create KEY 01

Click the ADD button and choose Add Native Key Provider from the menu.

01 Create KEY 02

Type a name in Name.

If your Private Cloud solution is older than Premier Hosted Private Cloud powered by VMware, untick the Use key provider only with TPM protected ESXi hosts (recommended) box.

Click ADD KEY PROVIDER.

01 Create KEY 03

Click the BACK-UP button on the left to back up the key outside the cluster.

01 Create KEY 04

Select the checkbox on the left to password protect the backup.

01 Create KEY 05

Type a password and confirm it. Then select the I have saved the password in a secure place box and click BACK UP KEY PROVIDER.

01 Create KEY 06

The key can now be used to encrypt virtual machines.

01 Create KEY 07

Encrypting of a virtual machine

We will encrypt a virtual machine and its data.

Encryption of a virtual machine can only be performed when the virtual machine is turned off.

Right-click on the virtual machine and from the VM Policies menu choose Edit VM Storage Policies.

02 encrypt VM 01

From the VM Storage Policies drop-down menu, choose VM Encryption Policy and click OK.

02 encrypt VM 02

In the virtual machine properties, click the Summary tab. You will see a padlock followed by the text Encrypted with a native key provider indicating that the VM is encrypted.

02 encrypt VM 03

Migrating an existing encryption solution to vSphere Native Key provider

Some OVHcloud customers use an encryption solution with external KMS keys. Encryption can be migrated to vSphere Native Key Provider.

Follow the instructions below to migrate an encrypted virtual machine with a key generated by an external KMS named cluster to a vSphere Native Key Provider key named MY-NKP.

In the vSphere console for your cluster, click on the cluster root in the top left-hand corner.
Go to the top in the Configure tab.
Click Key Providers in the vertical bar, go to the vSphere Native Key provider key and click SET AS DEFAULT.

03 migrate-from-kms-to-vnkp 01

Confirm your choice by clicking SET AS DEFAULT.

03 migrate-from-kms-to-vnkp 02

The vSphere Native Key Provider key is then set by default.

03 migrate-from-kms-to-vnkp 03

Click the virtual machine and go to Summary tab. This virtual machine uses the standard key provider. We will change the encryption of this virtual machine.

03 migrate-from-kms-to-vnkp 04

In the vSphere client, right-click on the virtual machine that needs to be encrypted again. In the VM Policies menu entry, choose Re-encrypt.

The operation related to the new encryption can be done with the virtual machine turned on because only the DEK key is encrypted again.

03 migrate-from-kms-to-vnkp 05

The new encryption takes a few milliseconds because the operation performed is only a renewal of the encryption of the DEK key. This key is now encrypted using the new vSphere Native Key Provider key.

03 migrate-from-kms-to-vnkp 06

Click the virtual machine on which the encryption has been changed and go to the Summary tab. You can see that encryption uses a native key provider next to the padlock.

03 migrate-from-kms-to-vnkp 07

Encrypting a Datastore of a vSAN cluster

You can encrypt the Datastore of a vSAN cluster instead of the virtual machines.

Through your vSphere interface, go to your vSAN cluster on the right, select the Configure tab, scroll to Data Services and click EDIT.

Activate vSAN data at rest encryption 01

Enable Data-At-Rest encryption, check Wipe residual Data, choose your Key Provider and click APPLY.

A warning will inform you that a performance problem may occur when you enable these settings. Please ignore it.

Activate vSAN data at rest encryption 02

Go back to Data Services and you will see that Data encryption at rest is enabled with your key.

Activate vSAN data at rest encryption 03

Go further

VMware vSphere Native Key Provider Overview

VMware documentation of the encryption process on vSphere

VMware vSphere Native Key Provider documentation

Join our community of users on https://community.ovh.com/en/.


¿Le ha resultado útil esta guía?

Si lo desea, también puede enviarnos sus sugerencias para ayudarnos a mejorar nuestra documentación.

Imágenes, contenido, estructura...: ayúdenos a mejorar nuestra documentación con sus sugerencias.

No podemos tratar sus solicitudes de asistencia a través de este formulario. Para ello, haga clic en "Crear un tíquet" .

¡Gracias! Tendremos en cuenta su opinión.

OVHcloud Community

¡Acceda al espacio de la OVHcloud Community! Resuelva sus dudas, busque información, publique contenido e interactúe con otros miembros de la comunidad.

Discuss with the OVHcloud community

A partir del 1 de enero de 2015, con arreglo a la Directiva 2006/112/CE modificada, los precios IVA incluido pueden variar según el país de residencia del cliente (por defecto, los precios con IVA incluyen el IVA español vigente).