This topic describes how you can secure VMware Tanzu Operations Manager VMs by encrypting their disks or rotating their disk encryption keys. Disk encryption protects data integrity if computing resources are stolen physically.
Disk encryption for VMs works at the IaaS level. An IaaS encrypts disks when it first creates them, or re-encrypts them when it rotates encryption keys.
To encrypt disks in Tanzu Operations Manager, you must:
Configure the IaaS to encrypt disks when it creates or recreates them.
Trigger BOSH to recreate the existing VMs that use the disks, and create encrypted disks from now on for new VMs.
The procedures below describe how to do this for each IaaS.
The disks you can encrypt on an Tanzu Operations Manager VM are:
The root file system for the VM. For BOSH-created VMs, this comes from the stemcell.
Ephemeral disk for the VM.
Persistent disk for the VM.
For each IaaS, there are two disk encryption procedures, which encrypt different VMs:
The BOSH Director procedure encrypts the disks used by the BOSH Director VM when you first create an Tanzu Operations Manager environment.
The BOSH-deployed VM procedure encrypts disks for the VMs that the BOSH Director creates, after BOSH has been deployed.
You can use the same procedure to either encrypt disks for the first time or rotate encryption keys.
For BOSH-deployed VMs, some IaaSes let you associate a policy with the BOSH process that automatically encrypts all disks BOSH creates. On AWS, BOSH must explicitly tell the IaaS to encrypt each disk that it creates, and passes in an encryption key. The table below summarizes these differences:
|IaaS||How configured||How encrypted||User can supply key||BOSH stores key ID|
|AWS||User pastes key Amazon Resource Name (ARN) into Tanzu Operations Manager||BOSH tells IaaS to encrypt disks it creates||Yes||Yes|
|Azure (with managed disks)||User configures IaaS to associate encrypt policy with BOSH||IaaS automatically encrypts disks it creates for BOSH||No||No|
|Azure (with Azure Storage)||User configures IaaS to associate encrypt policy with BOSH||IaaS automatically encrypts disks it creates for BOSH||Yes||No|
|vSphere||User configures IaaS to associate encrypt policy with BOSH||IaaS automatically encrypts disks it creates for BOSH||Yes||No|
Azure provides virtual disk space through Azure Storage accounts. In some regions, Azure offers a managed disks service for storage accounts, which allocates disk space flexibly on demand.
For more information about Azure Storage, see Introduction to Azure storage in the Microsoft Azure documentation. For more information about managed disks, see Introduction to Azure managed disks in the Microsoft Azure documentation.
For disk encryption, VMware recommends managed disk storage where available. With managed disks, encryption keys are managed by the IaaS, so you do not supply your own keys. You also do not need to re-create VMs after encrypting disks or rotating encryption keys, because the IaaS propagates the change to all VMs automatically.
To initiate or rotate disk encryption for BOSH-deployed VMs on Azure:
Log in to Azure Portal.
Encrypt new and existing Tanzu Operations Manager VMs by following the procedure in Azure Disk Encryption for virtual machines and virtual machine scale sets in the Microsoft Azure documentation.
For unmanaged Storage Account disks, see Recreate BOSH-Deployed Disks to propagate the change to existing VMs. If you are using managed disks, you can skip this step.
For more information about how BOSH integrates with IaaS-level disk encryption on Azure, see Encryption in Microsoft Azure in the BOSH documentation.
vSphere v6.5 and later support disk encryption for encrypted VMs.
If you are configuring volume encryption for VMware Tanzu Kubernetes Grid Integrated Edition (TKGI), you cannot use Tanzu Operations Manager or the vSphere BOSH CPI to encrypt persistent disks.
To initiate or rotate disk encryption for BOSH-deployed VMs on vSphere v6.5 or later:
Log in to vCenter.
Follow the procedure in Encrypt an existing virtual machine or virtual disk in the VMware documentation. If you are configuring volume encryption for TKGI, change the Default Storage Policy to an existing encryption policy.
Follow the procedure in Recreate BOSH-deployed disks procedure to propagate the change to existing VMs.
If you are configuring volume encryption for TKGI:
Delete the BOSH Director stemcell used for the TKGI foundation from the disk using vSphere WebClient. For more information on how to delete the BOSH Director stemcell, see How to recreate BOSH Director VM when the Stemcell is deleted from vSphere.
Reupload the stemcell used by TKGI:
sudo cp /var/tempest/stemcells/STEMCELL-NAME.tgz /home/ubuntu/. sudo chown ubuntu:ubuntu STEMCELL-NAME.tgz bosh upload-stemcell STEMCELL-NAME.tgz --fix
STEMCELL-NAME is the name of the stemcell you want to reupload.
sudo cp /var/tempest/stemcells/bosh-stemcell-621.84-vsphere-esxi-ubuntu-xenial-go_agent.tgz /home/ubuntu/. sudo chown ubuntu:ubuntu bosh-stemcell-621.84-vsphere-esxi-ubuntu-xenial-go_agent.tgz bosh upload-stemcell bosh-stemcell-621.84-vsphere-esxi-ubuntu-xenial-go_agent.tgz --fix
In the TKGI tile, select the Upgrade All Clusters errand.
For more information about how BOSH integrates with IaaS-level disk encryption on vSphere, see Encryption in vSphere in the BOSH documentation.
On AWS in Tanzu Operations Manager v2.0 and later, you can either use your Amazon account key to encrypt Linux EBS volumes or supply your own key.
To encrypt BOSH-deployed VMs and the Tanzu Operations Manager VM on AWS, see Configuring Amazon EBS Encryption.
For more information about how BOSH integrates with IaaS-level disk encryption on AWS, see Encryption in Amazon Web Services in the BOSH documentation.
Unless you are using Azure managed disks, you must manually recreate disks on BOSH-deployed VMs after you have added or rotated disk encryption keys. To manually recreate disks:
Configure Tanzu Operations Manager to encrypt VM root, ephemeral disk, and persistent disk on next deploy:
Click Review Pending Changes.
Click Apply Changes.