vSphere 5.5 EOGS - vSphere 6.5 Features Part 3 - Security
vSphere 6.5 brings some very impressive security features, this includes VMcrypt (VM Encryption), Encrypted vMotion, Secure Boot and Enhanced logging.
With VM encryption there is no dependency on the guest OS or underlying storage/datastore, meaning there are no requirements on what you can encrypt. Encryption is applied to the home files VMDK, VMX, snapshots etc and not the actual running guest OS. Encryption occurs at the hypervisor level. It's also easy to assign as the application of encryption is done by applying SPBM (Storage Policy Based Management). Encryption keys are not in the memory of the VM or can be accessed by the VM in any way. KMIP 1.1 (Key Management Interoperability Protocol). Supported KMS can be found here with SafeNet, HyTrust and Thales included.
vCenter will act as a KMIP client, this creates a separation between key usage and key management. VMcrypt uses AES-NI CPU driven encryption providing an encryption/decryption function per CPU core.
To enable VMcrypt we select a VM and choose to edit the storage policy and apply the VMcrypt SPBM. You can also select multiple VMs at the same time and do a bulk apply or edit of the policy.
The ESXi host generates an AES 256 key referred to as the data encryption key (DEK), This key is encrypted by an AES key from the KMS referred to as the key encryption key (KEK). The DEK encrypts the VM home files and stored encrypted in the VMX file. It is encrypted by the KEK.
To summarize, KMS keys are generated by the KMS vendor, data encryption keys (DEK) are generated by the ESXi host using OpenSSL.
To Note - In vSphere 6.5 encrypted VMs are not allowed to have memory snapshots
To backup an encrypted VM the backup solution needs to support the vSphere hot add method. The VM doing the backup will need to be encrypted and the users in vCenter running the backup will need the Cryptographic Operations.Direct Access permission. The backup should then be able to snapshot the encrypted VM and mount the parent disk. It should then be able to see the contents of the disk. The backup would then encrypt the data it is backing up.
Whats happens if you browse the datastore and then download the VMDK, would this be encrypted? Only someone will full admin privileges can download the VM files, and those files will be encrypted. By admin I mean they have privilege "Cryptographic Operations", you can assign the no cryptography administrator role to all vCenter administrators who do not need these privileges.
For vMotion a setting can now be applied on a per VM basis that encrypts the vMotion data traversing the network. A 256-bit random key is generated and a 64-bit nonce. The nonce creates a unique counter for each packet sent. For storage vMotion if the disks are already encrypted, they will be vMotioned encrypted, if they are not then vMotion encryption is not supported for Storage vMotion. For compute vMotion you cannot turn off encrypted vMotion if the VMs are encrypted with VMCrypt.
There are 3 x settings that can be selected per VM in edit settings. Disabled (Do not use vMotion encryption). Opportunistic (Only use if source and destination hosts support it *Needs to be 6.5 or higher). Required (If source or destination do not support the vMotion will not occur)
Secure boot is supported for both VMs and the ESXi hypervisor. It's a security standard that will ensure boot is permitted only if the software can be verified. It uses UEFI (Unified Extensible Firmware Interface). Secure boot is a protocol in the UEFI firmware, it validates a boot loaders digital signature against a digital signature in the firmware. For ESXi, secure boot will check against the boot loader, kernel, secure Boot verifier and VIB's. When secure boot is enabled it is not possible to install unsigned code on ESXi. It prevents unsigned, beta drivers in a production system. A great blog can be found here
For VM secure boot once the OS and firmware support EFI boot it can be configured as per screenshot below. EFI firmware supports windows, linux and nested ESXi.
In previous versions of vSphere logging was quite basic and more focussed on point in time troubleshooting, with 6.5 this has now changed with much more detail on activities providing a easy to understand trail of changes. The following screenshot shows who and what was changed (Administration changed from a PCI-vSwitch to a non PCI-vSwitch)
Log Insight will ingest syslog information. Alerts can be created based on specific changes such as above.