Enabling Virtual Machine Encryption (VM Encrypt)

Last updated 18th November 2020

Objective

This guide aims to explain the details of implementing VMencrypt on the OVHcloud Managed Bare Metal, using a storage strategy using an external KMS (Key Management Server).

Requirements

• Have a Managed Bare Metal offer.
• Have a external KMIP 1.1 compatible Key management server (KMS) and how are in VMware compatibility matrix VMware
• Access to the vSphere management interface.
• Have virtual machines with at least Hardware version 13

Instructions

Retrieve the certificate thumbprint from the KMS

Depending on your KMS, you can connect to the server using the browser and navigate to → View Certificate → Thumbprint

Extract the value on SHA1 Fingerprint line

Another method with OpenSSL:

openssl s_client -connect 192.0.2.1:5696 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

Here, it is the value on the right side of the equal sign:

> SHA1 Fingerprint=7B:D9:46:BE:0C:1E:B0:27:CE:33:B5:2E:22:0F:00:84:F9:18:C6:61

Register your KMS

With the OVHcloud Control Panel

In your OVHcloud Control Panel, open the "Bare Metal Cloud" section, then select your service under Managed Bare Metal in the left-hand navigation bar.

From the main page of the service, click on the Security tab.

In the section Virtual Machine Encryption Key Management Servers, click on Add a new KMS Server.

In the new window, enter the following information:

• IP address of the KMS
• SSLThumbprint of the KMS
• check the box to agree the correct consideration of this documentation

Then validate with Next.

A last window displays the progress of the task.

With the OVHcloud API

Encryption functions can be enabled through the OVHcloud API.

Get your serviceName:

Check that encryption is not yet enabled:

>     "state": "disabled"

Then perform the registration of the KMS:

You must provide the following information:

• the "serviceName"
• IP address of the KMS
• the SSLThumbprint of the KMS

Add the KMS to the vCenter

About this section

The vCenter Server creates a KMS cluster when you add the first KMS instance.

• When you add the KMS, you are prompted to set this cluster as the default. You can later change the default cluster.
• Once the vCenter has created the first cluster, you can add KMS instances from the same supplier to the cluster.
• You can configure the cluster with a single KMS instance.
• If your environment supports KMS solutions from different vendors, you can add multiple KMS clusters.
• If your environment includes several KMS clusters and you delete the default cluster, you must define another one. See defining the default KMS cluster.

Procedure

• Connect to the Managed Bare Metal with the vSphere Web Client.
• Browse the inventory list and select the vCenter.
• Click on Manage then Key Management Servers.
• Click Add KMS, specify the KMS information in the wizard, and then click OK.
• Trust the certificate and click on Trust.

Choose the following options:

• KMS cluster: Select Create new cluster for a new cluster. If a cluster exists, you can select it.
• Cluster name: Name of the KMS cluster. You may need this name to connect to the KMS if your vCenter becomes unavailable. The name of the cluster is very important to be unique and keep a note of the same thing.
• Server alias: Alias for the KMS. You may need this alias to connect to the KMS if your vCenter becomes unavailable.
• Server address: IP address or FQDN of the KMS.
• Server port: Port on which the vCenter server connects to the KMS. The standard KMIP port is 5696. It may vary if the KMS of another supplier is configured on a specific port.
• Proxy address: leave empty
• Proxy port: leave empty
• User name: Some KMS providers allow users to isolate the encryption keys used by different users or groups by specifying a user name and password. Specify a user name only if your KMS supports this feature and you intend to use it.
• Password: Some KMS providers allow users to isolate the encryption keys used by different users or groups by specifying a user name and password. Specify a password only if your KMS supports this feature and you intend to use it.

Import of the KMS certificate

Most KMS providers need a certificate to trust the vCenter.

From the vCenter where we added the KMS server

• Select the KMS server that has been added
• All options → Establish a trust relationship with KMS

Check that the KMS is configured

Check that the Connection Status of the KMS is Normal:

Change the storage policy of "VM Encryption Storage"

Create a virtual machine

Once the VM has been created, right-click on the virtual machine and choose VM Policies → Edit VM Storage Policies.

Select the VM files and other hard disks that need to be encrypted.

Make sure that the tasks are performed without errors.

vMotion encrypted

For vMotion, encryption works at the VM level and for synchronization, 256-bit encryption keys are used.

VMotion traffic encryption works at the VM kernel level with the widely used AES-GCM (Advanced Encryption Standard / Galois Counter Mode) algorithm.

Modify the virtual machine and navigate to VM Options

We must select the options explicitly if we need encrypted vMotion

There are 3 policies for encrypted vMotion:

• Disabled: Off.
• Opportunistic: Encryption only if supported by the source host and ESXi target host, otherwise vMotion will not be encrypted.
• Required: encryption is used.

The movement of machines between hosts is achieved by exchanging unique keys, which are generated and served by the vCenter server, rather than by KMS.

Configuration checks

Go further

Join our community of users on https://community.ovh.com/en/.

These guides might also interest you...