With vSphere Virtual Machine Encryption, you can create encrypted virtual machines and encrypt existing virtual machines. Because all virtual machine files with sensitive information are encrypted, the virtual machine is protected. Only administrators with encryption privileges can perform encryption and decryption tasks.
What Keys Are Used
vSphere uses two levels of encryption in the form of a Key Encryption Key (KEK) and a Data Encryption Key (DEK). Briefly, an ESXi host generates a DEK to encrypt virtual machines and disks. The KEK is provided by the KMS, and encrypts (or "wraps") the DEK. The KEK encrypts the DEK using the AES256 algorithm and the DEK encrypts the VMDK using the XTS-AES-256 (512-bit key size) algorithm.
- The ESXi host generates and uses internal keys to encrypt virtual machines and disks. These keys are used as DEKs.
- vCenter Server requests keys from the KMS. These keys are used as the KEKs. vCenter Server stores only the ID of each KEK, but not the key itself.
- ESXi uses the KEK to encrypt the internal keys, and stores the encrypted internal key on disk. ESXi does not store the KEK on disk. If a host reboots, vCenter Server requests the KEK with the corresponding ID from the KMS and makes it available to ESXi. ESXi can then decrypt the internal keys as needed.
What Is Encrypted
- Virtual machine files
- Most virtual machine files, in particular, guest data that are not stored in the VMDK file, are encrypted. This set of files includes but is not limited to the NVRAM, VSWP, and VMSN files. The key that vCenter Server retrieves from the KMS unlocks an encrypted bundle in the VMX file that contains internal keys and other secrets.
- Virtual disk files
- Data in an encrypted virtual disk (VMDK) file is never written in cleartext to storage or physical disk, and is never transmitted over the network in cleartext. The VMDK descriptor file is mostly cleartext, but contains a key ID for the KEK and the internal key (DEK) in the encrypted bundle.
- Core dumps
-
Core dumps on an
ESXi host that has encryption mode enabled are always encrypted. See
vSphere Virtual Machine Encryption and Core Dumps.
Note: Core dumps on the vCenter Server system are not encrypted. Protect access to the vCenter Server system.
What Is Not Encrypted
Who Can Perform Cryptographic Operations
Only users that are assigned the Cryptographic Operations privileges can perform cryptographic operations. The privilege set is fine grained. See Cryptographic Operations Privileges. The default Administrator system role includes all Cryptographic Operations privileges. A new role, No Cryptography Administrator, supports all Administrator privileges except for the Cryptographic Operations privileges.
You can create additional custom roles, for example, to allow a group of users to encrypt virtual machines but to prevent them from decrypting virtual machines.
How Can I Perform Cryptographic Operations
The vSphere Client and vSphere Web Client support many of the cryptographic operations. For other tasks, you can use the vSphere API.
Interface | Operations | Information |
---|---|---|
vSphere Client or vSphere Web Client | Create encrypted virtual machine Encrypt and decrypt virtual machines |
This book. |
vSphere Web Services SDK | Create encrypted virtual machine Encrypt and decrypt virtual machines Perform a deep recrypt of a virtual machine (use a different DEK). Perform a shallow recrypt of a virtual machine (use a different KEK). |
vSphere Web Services SDK Programming Guide VMware vSphere API Reference |
crypto-util | Decrypt encrypted core dumps, check whether files are encrypted, and perform other management tasks directly on the ESXi host. | Command-line help. |