• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

virtuallyGhetto

  • About
  • Privacy
  • Automation
    • VMware Kickstart
    • VMware API/SDK/CLI
    • VMware vMA/VIMA
    • VMware OVF / OVFTOOL
  • Apple Mac
  • Nested Virtualization
  • VCSA
  • VSAN
You are here: Home / Docker / Easily try out vSAN 6.6 Encryption feature using KMIP Docker Container

Easily try out vSAN 6.6 Encryption feature using KMIP Docker Container

04/14/2017 by William Lam 3 Comments

One of biggest feature introduced in the upcoming vSAN 6.6 release is the native vSAN Data-at-Rest Encryption capability. My good friend Duncan Epping even posted a video recently demo'ing the feature and showing how easy it is to enable with just a couple of clicks. Just like VM Encryption which was introduced in vSphere 6.5, vSAN Encryption also requires a Key Management Interoperability Protocol (KMIP) Server which needs to be associated with your vCenter Server.

The really nice thing about this is that because both VM Encryption and vSAN Encryption uses the exact same encryption library, as long as you have a supported KMS (which you can find over on the VMware KMS HCL here, more are being certified and added), you can actually leverage the same KMS for both types of encryption across different vSphere Clusters with different requirements. For the ultra paranoid, you could even "double" encrypt by running Encrypted VMs on top of a vSAN Encrypted Datastore 😉

As with any feature that relies on 3rd party tools, it can take some time to acquire evaluational licenses. For those of you who would like to try out either vSAN or VM Encryption from a functional standpoint, you can quickly get started in under a few minutes by using the KMIP Docker Container that I had built last year. This is a great way to familiarize yourself with the workflow or even try out some of the new vSphere and vSAN APIs if you plan to automate the KMIP configuration or even deployment of encrypted VMs. Another great use case for this is doing live demos and all you need is just a couple of Nested ESXi VMs and a Docker Container Host like Photon OS or even just your laptop for example. Below are the instructions on how to get started.

Disclaimer: It is also very important to note that you should NOT be using this for any production workloads or any VMs that you care about. For actual production deployments of VM Encryption or vSAN Encryption, you should be leveraging a production grade KMIP Server as PyKMIP stores the encryption keys in memory and will be lost upon a restart. This will also be true even for the virtual appliance, so this is really for quick evaluational purposes, do NOT run anything important that you care about due to the risks mentioned earlier.

Step 1 - Setup the KMIP Docker Container and associate it with your vCenter Server. You can find the complete instructions here.


Step 2 - Enable vSAN Encryption by editing the vSAN Cluster configuration. You should see the KMS Cluster that you had configured from Step 1. If you only have a single existing diskgroup, you may need to select the "Allow Reduced Redundancy" as the existing diskgroup will be destroyed which may violate the existing availability policy.


At this point, you should see a new task kicked off to reformat the vSAN diskgroup and once that has completed, you have now successfully enabled vSAN Encryption! Pretty straight forward, right?


There is also a vSAN Health Check for vSAN Encryption which you can view by going to vSAN->Monitor->vSAN and under the "Encryption" check, it should show all green that your CPUs support the AES-NI instruction sets. You can also see that I have gone ahead and deployed a new VM which is now being secured by vSAN Encryption!

More from my site

  • Automating the new native VCSA bootstrap “Easy Install” in vSAN 6.6
  • New vSAN Management 6.6 API / SDKs / CLIs
  • Project USB to SDDC – Part 1
  • Project USB to SDDC – Part 2
  • KMIP Server Docker Container for evaluating VM Encryption in vSphere 6.5
Share this...
  • Twitter
  • Facebook
  • Linkedin
  • Reddit
  • Pinterest

Filed Under: Docker, VSAN, vSphere 6.5 Tagged With: Docker, KMIP, PyKMIP, VSAN 6.6, vSAN Encyption, vSphere 6.5

Reader Interactions

Comments

  1. Sanjay Dubey says

    04/26/2017 at 3:08 am

    Getting error. Client Certificate not found.

    Reply
  2. Dan says

    09/10/2017 at 2:41 pm

    Hey William,

    I am getting the same error below:

    The “Reconfigure vSAN configuration” operation failed for the entity with the following error message.

    General vSAN error.
    The KMS cluster DOCKER-KMS does not have a client certificate or key configured

    Do i need to Establish Trust with the KMS and create a client side cert from vCenter and upload it to the KMIP Server Docker Container?

    I am running 6.5U1 + VSAN 6.6.1 as well.

    Thanks

    Reply
  3. Nathan says

    07/01/2018 at 9:32 pm

    I’m getting the same error as Dan. Any ideas on a solution?

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Author

William Lam is a Staff Solutions Architect working in the VMware Cloud on AWS team within the Cloud Platform Business Unit (CPBU) at VMware. He focuses on Automation, Integration and Operation of the VMware Software Defined Datacenter (SDDC).

  • GitHub
  • Google+
  • LinkedIn
  • RSS
  • Twitter

Sponsors

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy