Dell VxRail Architecture Overview

VM encryption

VM encryption provides the flexibility to enable encryption on a per-VM basis, which means that a single cluster can have encrypted and nonencrypted VMs. VM encryption follows the VM wherever it is hosted. So even if the VM were moved to a data store outside VxRail, it would remain encrypted. For more information, see Virtual Machine Encryption.

VMware vSphere vMotion encryption

VxRail supports encrypted VMware vSphere vMotion, where VMs are encrypted when they are moved between hosts. This includes VMware vSphere vMotion migrations within a VxRail and VMware vSphere vMotion migrations to or from a VxRail cluster within a VMware vCenter Server instance. Encrypted VMware vSphere vMotion can be used with VMware vSAN encryption to have data at rest encryption and data-in-transit encryption. Encrypted VMware vSphere vMotion is enforced for VMs with VMware vSphere Encryption enabled. For more information, see Encrypted vSphere vMotion.

Data-at-rest encryption

VMware vSAN encryption encrypts data-at-rest (D@RE) on the VMware vSAN data store. D@RE from VMware vSAN offers FIPS 140-2 verified security that can be used with VxRail to encrypt a data store. In addition to protecting your workloads, VMware vSAN encryption is the easiest and most flexible way to encrypt D@RE because the entire VMware vSAN data store is encrypted with a single setting. This encryption is cluster-wide for all VMs using the data store. Encrypted VM data typically does not benefit from space reduction techniques such as deduplication or compression. VMware vSAN encryption is performed after deduplication and compression, so the full benefit of these space reduction techniques is maintained. For more information, see VMware vSAN Data-At-Rest Encryption.

VMware vSphere also supports encryption at the VM layer as an option to VMware vSAN encryption. Starting with VxRail 7.0.200, the native key provider that is embedded with VMware vCenter Server can be used for encryption purposes.

VMware vSAN encryption

The following encryption key provider options are available depending on the VMware vCenter Server deployment:

• VxRail-managed VMware vCenter Server supports both native key provider and standard key provider methods.​
• Customer-managed VMware vCenter Server supports only the native key provider method.​

TPM

Trusted Platform Module (TPM) is a specialized chip that is built into the PowerEdge platform.​ The features of TPM are:

• Use TPM to determine the trustworthiness of a host to be part of a cluster.​ TPM enforces software integrity through signed VIBs, assuring that only authorized software is installed on hosts.​
• TPM supports the storing of keys for VMware vSAN encryption in a more secure and accessible location than in a local cache. Keys that are stored in TPM persist after a reboot operation, while keys stored in a local cache do not persist after a reboot. You should enable key persistence in ESXi.
• TPM supports secure booting of VxRail nodes to prevent unauthorized access to systems.​

VxRail 8.0 only supports TPM 2.0.​ Before reimaging or upgrading VxRail nodes to VxRail 8.0, upgrade the TPM chip on each node to TPM version 2.0 only if:

• You are planning to enable TPM on nodes as part of the security policy​.
• The older version of TPM is configured on VxRail nodes.​

To use VMware vSAN ESA encryption with TPM, enable TPM in BIOS on each VxRail node to be a member of the encrypted VMware vSAN ESA data store.​