{"id":4015,"date":"2018-05-17T17:15:43","date_gmt":"2018-05-17T22:15:43","guid":{"rendered":"http:\/\/www.jasemccarty.com\/blog\/?p=4015"},"modified":"2020-02-16T17:16:15","modified_gmt":"2020-02-16T23:16:15","slug":"vsan-enc-kms-accessibility","status":"publish","type":"post","link":"https:\/\/www.jasemccarty.com\/blog\/vsan-enc-kms-accessibility\/","title":{"rendered":"Understanding vSAN Encryption \u2013 KMS Server Accessibility"},"content":{"rendered":"<p>vSAN 6.6 introduced data at rest encryption as a new feature that provides another choice (in addition to VM Encryption introduced in vSphere 6.5) for customers to secure data in vSphere. Despite the fact that these technologies work a bit differently (per datastore for vSAN Encryption or per VM for VM Encryption) these technologies still use a common Cryptographic Library to perform their work. Key Management is also common among these two technologies.<\/p>\n<p>Mike Foley has some really good content around <a href=\"https:\/\/www.yelof.com\/2017\/10\/05\/key-manager-concepts-and-toplogy-basics-for-vm-and-vsan-encryption\/\" target=\"_blank\" rel=\"noopener noreferrer\">Key Manager Concepts and Topology Basics for VM and vSAN Encryption<\/a>.<\/p>\n<p>Specific to vSAN though, it is important to keep the KMS external to the vSAN datastore it is providing key management for.<a href=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/05\/vSAN-ENC-KMS-Outside.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-11856\" src=\"http:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/05\/vSAN-ENC-KMS-Outside.png\" alt=\"\" width=\"601\" height=\"391\" srcset=\"https:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/05\/vSAN-ENC-KMS-Outside.png 908w, https:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/05\/vSAN-ENC-KMS-Outside-220x143.png 220w, https:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/05\/vSAN-ENC-KMS-Outside-768x500.png 768w, https:\/\/blogs.vmware.com\/virtualblocks\/files\/2018\/05\/vSAN-ENC-KMS-Outside-290x190.png 290w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/a>If the KMS resides on the datastore it is providing key management for, a circular dependency can occur.<\/p>\n<p>Hosts in a vSAN cluster that has vSAN Encryption enabled will directly contact the KMS they are assigned to upon boot up to unlock\/mount disk groups.<\/p>\n<p>Consider the following scenario:<\/p>\n<ol>\n<li>KMS resides on a vSAN cluster that has vSAN Encryption enabled.<\/li>\n<li>Hosts that have KMS disks for a virtualized KMS appliance lose power. The KMS is then not accessible.<\/li>\n<li>Those hosts are rebooted, and attempt to connect to the (now unavailable) KMS appliance.<\/li>\n<li>The previously failed vSAN hosts will boot, but will not unlock or mount the disk groups.<\/li>\n<li>The KMS appliance&#8217;s disks are still not available and will not be.<\/li>\n<\/ol>\n<p>It is important to remember that a KMS appliance should not be stored on the vSAN datastore that it is providing keys for. This is not a supported configuration.<\/p>\n<p>We have some sample PowerCLI code that can be used to check and see if a KMS appliance is residing on the vSAN Cluster it is providing key management for located here: <a href=\"https:\/\/code.vmware.com\/samples\/3773\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/code.vmware.com\/samples\/3773\/<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>This was originally posted on the VMware Virtual Blocks site: https:\/\/blogs.vmware.com\/virtualblocks\/2018\/05\/17\/vsan-enc-kms-accessibility\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>vSAN 6.6 introduced data at rest encryption as a new feature that provides another choice (in addition to VM Encryption introduced in vSphere 6.5) for &hellip; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4015","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/posts\/4015","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/comments?post=4015"}],"version-history":[{"count":2,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/posts\/4015\/revisions"}],"predecessor-version":[{"id":4017,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/posts\/4015\/revisions\/4017"}],"wp:attachment":[{"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/media?parent=4015"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/categories?post=4015"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jasemccarty.com\/blog\/wp-json\/wp\/v2\/tags?post=4015"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}