The ability to encrypt a VM at the VM-level natively using vSphere has long been something that was not an option in vSphere but that may change soon. At VMworld this year there was a tech preview session of a new VM encryption technology that will be coming to a future release of vSphere. I had that session scheduled by missed it due to a conflict and unfortunately VMware chose not to include it in the session recordings that are available to registered attendees. The description of the session from the VMworld Content Catalog is below:
INF5339 – Protect your VM data with VM Encryption for vSphere and vCloud Air
All disks and metadata files associated with a Virtual Machine are the most important customers assets in on-premise and hybrid cloud scenarios. A “data at rest” encryption solution is essential to protect these assets against security threats to Virtual Machines. Get a better understanding of how VMware’s upcoming VM encryption solution will protect these assets!
Yuecel Karabulut – Product Line Manager, VMware
Swapneel Kekre – Sr. Engineering Manager, VMware Inc
Why do we need encryption at all? Encryption of data is becoming more and more required due to a number of industry and governmental compliance mandates such as PCI, SOX and HIPAA that are designed to protect sensitive personal and financial data. In addition virtualization opens up whole new avenues of stealing data as servers (VMs) can now be transported out of a data center over a wire or in someone’s pocket. Encryption ensures that data cannot be read by someone who manages to get their hands on a VMDK file. I’ve previously written about the importance of securing your virtual world, encryption is another defensive tool you can use to protect VMs.
It’s possible to encrypt VMs right now in vSphere but its not that easy or straightforward and requires 3rd party hardware or software. Encryption can be done at the array level using hardware level solutions such as encrypted switches, drives or controllers, but these solutions are not granular to the VM-level. Other solutions such as HyTrust’s DataControl integrates with VMware to offer VM-level encryption but it requires the purchase and setup of a 3rd party solution. This blog post by VMware details this solution. You can also encrypt inside the VM at the guest OS-level but this complicates management of the VM and adds additional resource overhead.
Native encryption built right into vSphere would be an ideal solution as it would be much simpler and easy to setup and manage. I can see this integrated with VMware’s Storage Policy Based Management and possibly leverage the new vSphere APIs for I/O filtering that allows 3rd party vendors to integrate inline with a VMs storage I/O stream. VMware Workstation already supports VM-level encryption so VMware has already done some work to make this a reality. I also suspect VMware will make this available in both vSphere and vCloud Air so encrypted VMs have cloud mobility.
Beyond the VMworld tech preview session little other information is available on the new VM-level encryption in vSphere but I suspect it would be part of the next major release of vSphere. Let’s hope it doesn’t take as long as it took to support SMP Fault Tolerance which was a tech preview session at VMworld for several years before it finally made it into vSphere 6.0. So for now we’ll just have to wait or if you need something right away check with your SAN vendor or try one of the 3rd party solutions such as HyTrust DataControl.