Dell VxRail Architecture Overview

VM encryption

With VM encryption, you can enable encryption per VM which allows a single cluster to have encrypted and nonencrypted VMs. VM encryption follows the VM wherever it is hosted. If a VM was moved to a data store outside VxRail, it remains encrypted. For more information, see Virtual Machine Encryption.

VMware vSphere vMotion encryption

VxRail uses encrypted VMware vSphere vMotion to encrypt VMs when they are moved between hosts. This includes VMware vSphere vMotion migrations within a VxRail and migrations to or from a VxRail cluster within a VMware vCenter Server instance. Encrypted VMware vSphere vMotion can be used with VMware vSAN encryption for data at rest encryption and data-in-transit encryption. Encrypted VMware vSphere vMotion is enforced for VMs with VMware vSphere Encryption enabled. For more information, see Encrypted vSphere vMotion.

Data-at-rest encryption

VMware vSAN encryption encrypts data-at-rest (D@RE) on the VMware vSAN data store. D@RE offers FIPS 140-2 verified security to encrypt a data store and protect your workloads. D@RE encrypts the entire VMware vSAN data store with a single setting, cluster-wide for all VMs using the data store. Encrypted VM data typically does not benefit from space reduction techniques such as deduplication or compression. VMware vSAN encryption is performed after deduplication and compression. For more information, see VMware vSAN Data-At-Rest Encryption.

VMware vSphere supports encryption at the VM layer for VMware vSAN encryption. For VxRail 7.0.200 and later, you can use the native key provider that is embedded with VMware vCenter Server.

VMware vSAN encryption

The following encryption key provider options are available depending on the VMware vCenter Server deployment:

• VxRail-managed: VMware vCenter Server supports the native key provider and standard key provider methods.​
• Customer-managed: VMware vCenter Server supports only the native key provider method.​

Boot drive encryption

For VxRail 8.0.320 and later, you can encrypt the boot drives in each VxRail node. The boot drives contain the BOSS N1 controller and any M.2 SED drive connection. The BOSS-N1 card is exposed on the outside of the chassis and the drive contains the operating system of the node.

A Local Key Manager (LKM) on iDRAC or an external Enterprise Key Management Solution (EKMS) is used to apply the encryption.

TPM

TPM is a specialized chip that is built into the PowerEdge platform to:

• Determine the trustworthiness of a host to be part of a cluster.​ TPM enforces software integrity through signed VIBs assuring that software is authorized.​
• TPM stores keys for VMware vSAN encryption in a more secure and accessible location than in a local cache. Keys persist after a reboot, while keys stored in a local cache do not persist after a reboot. Enable key persistence in VMware ESXi.
• TPM supports the Secure Boot of VxRail nodes to prevent unauthorized access to systems.​

VxRail 8.0 supports TPM 2.0.​ Before reimaging or upgrading VxRail nodes to VxRail 8.0, upgrade the TPM chip on each node to TPM version 2.0 if:

• You plan to enable TPM on nodes as part of the security policy​.
• The older version of TPM is configured on VxRail nodes.​

To use VMware vSAN ESA encryption with TPM, enable TPM in BIOS on each VxRail node to be a member of the encrypted VMware vSAN ESA data store.​