VSAN Encryption: What it is, what it does and how to use it

VSAN Encryption vs. vSphere VM encryption

VSAN Encryption is available for both hybrid and all-flash configurations and requires a key management server (KMS) compliant with Key Management Interoperability Protocol 1.1 in order to associate with vCenter Server. VSAN Encryption performs encryption with a xor-encrypt-xor-based tweaked-codebook mode with ciphertext stealing (XTS) Advanced Encryption Standard (AES) 256 cipher at both the cache and capacity tier -- anywhere data is at rest. VSAN Encryption is also compatible with vSAN all-flash efficiency features, such as deduplication, compression and erasure coding; this means it delivers highly efficient and secure storage. Data is encrypted as it enters the cache tier and, as it destages, is decrypted. Finally, the data is deduplicated and compressed as it enters the capacity tier, where it is encrypted again.

VSAN Encryption is compatible with vSAN all-flash efficiency features, such as deduplication, compression and erasure coding; this means it delivers highly efficient and secure storage.

VSAN Encryption's cryptographic mechanics are similar to those of vSphere 6.5 VM Encryption. Both use the same encryption library, provided you have a supported KMS. In fact, you can use the same KMS for both vSAN Encryption and VM Encryption. However, that's where the similarities end. VM Encryption occurs on a per-VM basis via vSphere API for I/O filtering, whereas vSAN Encryption encrypts the entire data store.

The other major difference is that vSAN Encryption is a two-level encryption method: It uses a key encryption key (KEK) to encrypt a data encryption key (DEK). The DEK is a randomly generated key that encrypts data on each disk. Each vSAN host stores the encrypted DEKs but does not store the KEK on disk. If the host requires the KEK, it requests it from the KMS.

How does vSAN Encryption work?

VSAN Encryption occurs when vCenter Server requests an AES-256 KEK from the KMS. VCenter Server only stores the KEK's ID, not the key itself. The ESXi host then encrypts disk data with the industry standard AES-256 XTS mode. Each disk has a different randomly generated DEK. Each ESXi host then uses the KEK to encrypt its DEKs and stores the encrypted DEKs on disk. As mentioned before, the host does not store the KEK on disk. If a host reboots, it requests the KEK with the corresponding ID from the KMS. The host can then decrypt its DEKs as needed.

The host uses a host key to encrypt core dumps, not data. All hosts in the same cluster use the same host key. VSAN Encryption generates a random key to re-encrypt the core dumps when it collects support bundles. Use a password when you encrypt the random key.

When an encrypted vSAN host reboots, it does not mount its disk groups until it receives the KEK, which means this process can take several minutes or more to complete. Also, encryption can be CPU-intensive. Intel AES New Instructions (AES-NI) significantly improves encryption performance, so enable AES-NI in your system's Basic Input/Output System.

The encryption process

To encrypt data with vSAN Encryption, first add a KMS to your vCenter Server and establish a trusted connection with it. Do not deploy your KMS on the data store you intend to encrypt because, if a failure should occur, hosts in the vSAN cluster must communicate with the KMS.

Select the vCenter Server to which you wish to deploy the KMS and, under the Configure tab, select Key Management Servers and add your KMS details.

Figure 1 shows options for establishing a trusted connection between vCenter, ESXi hosts and KMS. Once you choose one of these options, you can enable encryption in your vSAN cluster.

It's incredibly easy to turn on vSAN Encryption. Simply select the vSAN cluster and navigate to the Configure tab. Under vSAN, select General. Click the Edit button and tick the boxes next to "Turn ON vSAN" and "Encryption." Be sure to select the appropriate KMS cluster.

In this window, you'll also see options to "Erase disks before use" and "Allow Reduced Redundancy." "Erase disks before use" wipes existing data from storage devices as they are encrypted. Be aware that this increases the disk reformatting time.

If your vSAN cluster already has a significant number of VMs deployed to it and you're concerned that there isn't sufficient available capacity to evacuate the disk group prior to encryption, the "Allow Reduced Redundancy" option reduces the VM's protection level to free up space to carry out the encryption. This method doesn't evacuate data to other hosts in the cluster; it just removes each disk group, upgrades the on-disk format and adds the disk group back. All objects remain available but with reduced redundancy.

Once you click OK, vSAN will reformat all of the disks in the group. This is a rolling format in which vSAN removes one disk group at a time, evacuates the data from those disk groups, formats each disk to on-disk version 5.0, re-creates the disk group and moves on to the next. This can take a considerable amount of time, especially if vSAN needs to migrate large amounts of data on the disks during reformatting.

Be aware that if, at any point, you choose to disable vSAN Encryption, vSAN will perform a similar reformatting process to remove encryption from the disks.

If you need to regenerate the encryption keys, you can do so within the vSAN configuration user interface. There are two methods for regenerating a key. The first is a high-level re-key where a new KEK encrypts the existing DEK. The other is a complete re-encryption of all data with KEKs and DEKs. This option takes significant time to complete, as all data must be re-encrypted with the new key.

To generate new encryption keys, click the Configure tab. Under vSAN, select General and then click Generate New Encryption Key. This opens a window in which you can generate new encryption keys, as well as re-encrypt all data in the vSAN cluster. To generate a new KEK, click OK. The DEKs will be re-encrypted with the new KEK. To generate a new KEK and new DEKs, and re-encrypt all data in the vSAN cluster, select the check box that says: "Also re-encrypt all data on the storage using new keys."