top of page
  • Writer's picturevP

Using Encryption in a vSAN Cluster

In the virtual realm of vSAN clusters, security stands tall as a paramount concern. One key aspect ensuring the integrity of your data is encryption. In this blog, let's discuss about encryption, its significance, and why it's a must-have in your vSAN environment.


What is Encryption?

Encryption, in simple terms, is the art of converting readable information into an unreadable format using a secret code. This secret code, often referred to as a key, acts as a digital lock, ensuring that only authorized users with the corresponding key can access the encrypted data.


Why Encryption Matters in vSAN?

Data Protection:

Encryption acts as a robust shield against unauthorized access to your data. In a vSAN cluster, where sensitive information is stored, this protective layer becomes indispensable. It ensures that even if someone gains physical or unauthorized access to the underlying storage, the data remains incomprehensible without the encryption key.


Compliance Requirements:

Many industries and organizations have strict compliance standards regarding data security. Encryption aids in meeting these standards by providing an additional layer of protection, aligning your vSAN setup with regulatory requirements.

Secure Data at Rest:

In a vSAN cluster, data isn't always on the move. When it's at rest, residing on your storage devices, it becomes susceptible to potential breaches. Encryption ensures that, even in this static state, your data remains secure and immune to unauthorized access.


Protecting Against Insider Threats:

Not all threats come from external sources. Internal risks, intentional or accidental, can pose a significant danger. Encryption serves as a fail-safe, mitigating the impact of insider threats by rendering the data useless without the proper decryption key.


Encryption in vSAN -

You can encrypt data-in transit in your vSAN cluster, and encrypt data-at-rest in your vSAN datastore.


vSAN can encrypt data in transit across hosts in the vSAN cluster. Data-in-transit encryption protects data as it moves around the vSAN cluster.


vSAN can encrypt data at rest in the vSAN datastore. Data-at-rest encryption protects data on storage devices, in case a device is removed from the cluster.


1. vSAN Data-In-Transit Encryption

vSAN can encrypt data in transit, as it moves across hosts in your vSAN cluster. vSAN can encrypt data in transit across hosts in the cluster. When you enable data-in-transit encryption, vSAN encrypts all data and metadata traffic between hosts.


vSAN data-in-transit encryption has the following characteristics:

  • vSAN uses AES-256 bit encryption on data in transit.

  • vSAN data-in-transit encryption is not related to data-at-rest-encryption. You can enable or disable each one separately.

  • Forward secrecy is enforced for vSAN data-in-transit encryption.

  • Traffic between data hosts and witness hosts is encrypted.

  • File service data traffic between the VDFS proxy and VDFS server is encrypted.

  • vSAN file services inter-host connections are encrypted.


vSAN uses symmetric keys that are generated dynamically and shared between hosts. Hosts dynamically generate an encryption key when they establish a connection, and they use the key to encrypt all traffic between the hosts. You do not need a key management server to perform data-in-transit encryption.


Each host is authenticated when it joins the cluster, ensuring connections only to trusted hosts are allowed. When a host is removed from the cluster, it is authentication certificate is removed.


vSAN data-in-transit encryption is a cluster-wide setting. When enabled, all data and metadata traffic is encrypted as it transits across hosts.


2. vSAN Data-At-Rest Encryption

vSAN can encrypt data at rest in your vSAN datastore. vSAN can perform data at rest encryption. Data is encrypted after all other processing, such as deduplication, is performed. Data at rest encryption protects data on storage devices, in case a device is removed from the cluster.


Using encryption on your vSAN datastore requires some preparation. After your environment is set up, you can enable data-at-rest encryption on your vSAN cluster.


Data-at-rest encryption requires an external Key Management Server (KMS) or a vSphere Native Key Provider. For more information about vSphere encryption, see vSphere Security.


You can use an external Key Management Server (KMS), the vCenter Server system, and your ESXi hosts to encrypt data in your vSAN cluster. . vCenter Server requests encryption keys from an external KMS. The KMS generates and stores the keys, and vCenter Server obtains the key IDs from the KMS and distributes them to the ESXi hosts.


vCenter Server does not store the KMS keys, but keeps a list of key IDs.


When you enable data-at-rest encryption, vSAN encrypts everything in the vSAN datastore.

All files are encrypted, so all virtual machines and their corresponding data are protected. Only administrators with encryption privileges can perform encryption and decryption tasks. vSAN uses encryption keys as follows:

  • vCenter Server requests an AES-256 Key Encryption Key (KEK) from the KMS. vCenter Server stores only the ID of the KEK, but not the key itself.

  • The ESXi host encrypts disk data using the industry standard AES-256 XTS mode. Each disk has a different randomly generated Data Encryption Key (DEK).

  • Each ESXi host uses the KEK to encrypt its DEKs, and stores the encrypted DEKs on disk. The host does not store the KEK on disk. If a host reboots, it requests the KEK with the corresponding ID from the KMS. The host can then decrypt its DEKs as needed.

  • A host key is used to encrypt core dumps, not data. All hosts in the same cluster use the same host key. When collecting support bundles, a random key is generated to re-encrypt the core dumps. You can specify a password to encrypt the random key.


When a host reboots, it does not mount its disk groups until it receives the KEK. This process can take several minutes or longer to complete. You can monitor the status of the disk groups in the vSAN health service, under Physical disks > Software state health.


Wrapping it up, using encryption in a vSAN cluster isn't just a choice; it's a must. It works like a digital fortress, protecting your data from various possible dangers. If you grasp its significance and stick to a step-by-step setup plan, you strengthen your vSAN setup, guaranteeing a safe and robust storage system for your data.


Thank you for reading!


*** Explore | Share | Grow ***

47 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page