PowerProtect: Protection with VMware vSphere virtual machine (VM) encryption

Background

Data at rest encryption is a critical security measure designed to safeguard sensitive information stored on disk or other storage media. The implementation of data-at-rest encryption is with VMware vSphere VM encryption, a feature that provides encryption for the VM, associated files, virtual disks, and snapshots. The encryption process occurs at the hypervisor level, ensuring that all data within a VM is encrypted. VM Encryption relies on a Key Providers to securely store and manage encryption keys. This separation of keys from the hypervisor enhances security. Among the key providers available, the VMware Native Key Provider and Standard Key Provider are commonly used.

PowerProtect Configuration

There are no specific configuration settings to enable or disable VM encryption and the settings are taken from the VMware vSphere environment. The details below provide guidance on the Key providers that can be used, how to enable or disable encryption and how to check for encryption settings. This information is provided for general information and guidance only. Reference to the VMware documentation for the specific version is recommended before any changes are attempted.

Native Key Provider

1.Overview:

 The VMware vSphere Native Key Provider is an integrated key management solution for encrypting virtual machine disks and storage entities.

2. Features:

• Integration during implementation with VMware vSphere environments
• Available in vSphere 7.0 Update 2 and later
• Quick Setup: No external key server is required.

 3. Steps to Add Native Key Provider:

1. Log in to the VMware vSphere, browse Inventory, select the vCenter server, and click "Configure," and under "Security," click "Key Providers."
2. Click Add, select "Add Native Key Provider," complete the required information and click "ADD KEY PROVIDER."
3. Check the box "Use key provider only with TPM protected ESXi hosts (Recommended)" if a Trusted Platform Module (TPM) 2.0 is available and configured on the host.
4. Then select the added key and click "Back-UP."
5. Check the box "Protect Native Key Provider data with password (Recommended)" and click the "Back UP KEY PROVIDER" button to create the password.
6. Enter a password, check that the "password is saved in a secure place," and click Back Up Key Provider.
7. The result is a p12 file, automatically saved in the downloads directory.

Standard Key Provider

1.Overview:

The Standard Key Provider is a versatile option enabling integration with external key management solutions.

2. Features:

• External Integration: Supports integration with third-party key management solutions
• VMware Requirement: Available in VMware vSphere 6.5 and later
• Customization: Allows customization of key management policies based on organizational needs

3. Steps to Add Standard Key Provider (Using KMS certificate and private key):

To add a key provider to the vCenter Server and establish a trust relationship between the vCenter server and the KMS, follow these steps:

1. Connect to the vSphere Client, select the vCenter server, click "Configure," and under "Security," click "Key Providers."
2. Click "Add Standard Key Provider" and enter key provider information (name and KMS details).
3. Click "ADD KEY PROVIDER," then click "TRUST" to establish trust between the vCenter server and KMS.
4. Set up the KMS to trust vCenter Server.
5. Select the added key provider, and then select the KMS to establish trust; select "Make KMS trust vCenter" from the "ESTABLISH TRUST" menu and follow the steps to upload the KMS certificate and private key.
6. After finishing the upload, click "ESTABLISH TRUST." UI displays that KMS is connected to the vCenter server.

Testing VMware® vSphere® VM Encryption results with PowerProtect

Conducted testing to ensure the operational status of PowerProtect after enabling VM encryption in VMware vSphere. Both key providers were used during the testing process. The initial state of the VM was unencrypted, and the following steps were taken to encrypt it. Then, the functionality of PowerProtect was verified.

Test Case 1: Verifying PowerProtect Operational Status after Enabling VM Encryption with Native Key Provider

Environment Details:

• Standalone PowerProtect
• VMware vSphere Client Version: 7.0.3.00500
• Hypervisor: VMware ESXi, 7.0.3, 21930508
• TPM is not available on the ESXi host.

Host should be within the Cluster. Add the Native Key Provider by following the steps outlined in the "Steps to Add Native Key Provider." Ensured proper cryptographic privileges and compatibility of the host version, before proceeding with the encryption Set the added key as default. The existing VM was then encrypted by editing VM policies. After powering on the VM, confirmed the operational status of PowerProtect by adding asset sources, protection policies, and running jobs.

Test Case 2: Verifying PowerProtect Operational Status after Enabling VM Encryption with Standard Key Provider

Environment Details:

• VMware vSphere Client Version: 7.0.3.00500
• Standalone PowerProtect
• KMS Server Type: Keysecure
• KMS key-class: ppdmdal
• Key Management Interoperability Protocol (KMIP) 1.1 compliant

Added the Standard Key Provider by following the steps outlined in the "Steps to Add Standard Key Provider" section. Ensured the proper cryptographic privileges are available in vCenter before proceeding with encryption. The KMS was successfully set up on vCenter and added the default key. The VM was encrypted with the default key and then verified the operational status of PowerProtect.

Performance testing was conducted on the VM encrypted with the Native Key Provider. 
Testing was performed on a different number and type of assets. Then recorded the duration and throughput for PowerProtect with and without encryption Observed there is no major performance impact (With and without encryption)
The results indicate that PowerProtect continues to operate after encryption, demonstrating the integration of encryption into the VMware environment. 

Limitation and Reminders

Efficient Encryption Key Management

• Efficiently managing encryption keys is crucial for the overall security of your environment. Implement robust backup and recovery procedures to mitigate the risk of accidental loss of encryption keys, which could potentially result in data loss.

KMIP Server Configuration and Accessibility

• Ensure the proper configuration and accessibility of the Key Management Interoperability Protocol (KMIP) server from your VMware infrastructure. This is essential for the smooth functioning of encryption processes and maintaining the integrity of key management.

Potential Impacts on VM Performance

• Be aware of potential impacts on virtual machine (VM) performance during the encryption process. It is advisable to assess and understand the potential resource utilization and performance implications to ensure a balanced and optimal operation.