Follow me on Twitter

Friday, October 27, 2017

Setting up Encryption in vSAN 6.6

I have had this post in the works for a while now. I have had some challenges in my home lab with unstable storage and issues with fiber channel support on my freenas server. I have since moved over to a IBM DS3400 SAN and that has been much more stable, anyway I digress, onto the content!

I wanted to play around with the new encryption options that vSAN 6.6 brings to the table and I was fortunate enough to get setup with a HyTrust KMS server so I can get it up and running and test it out. I want to give a huge shoutout to the HyTrust team for providing this to me, without their support this post would not be possible! I will not be doing any benchmarks but rather seeing how the technology works and how easy it is to implement.

The first step is to have a working vSAN cluster. I happen to have a 6 node nested ESXI 6.5u1 vSAN cluster in my lab with each nested host containing 2 vCPU 16GB of RAM, 1 10GB Cache disk and 1 50GB capacity disk for a total of 300GB on the vSAN Datastore. This Cluster is running FTT=2. I will be installing the Hytrust KMS server into the nested environment.

I will then be choosing the vSAN encryption option on the Configure tab of the vSAN settings and then will point it over to my HyTrust KMS server appliance.

Let's deploy the Appliance OVA shall we?

Here you can see the configuration options and it looks like its a pretty lightweight appliance, only requiring 2vCPU and 8GB of ram for a recommended deployment size. I will be choosing the Demo size since this is a nested lab and requirements will be low. That brings the resources down to 1GB of RAM.

Next we will need to fill in the IP address and DNS information for the appliance. That is it for the OVA deployment. Let's see what is next.

After powering up the appliance, we are first greeted with the HyTrust logo and then are prompted to create a new password for the keycontrol system. The next step after that, it asks you if you are joining this KMS server to an existing keycontrol system. In our case this would be a no, as this is the first keycontrol system in the lab. Now we can further manage the appliance by going into the web GUI.

Now that we are in the web GUI we need to login with the default credentials of username secroot and password secroot

Accept the EULA and then change your password. Next up we need to configure the email notification delivery settings. You can skip these if you wish. Once those are set we can move on to configuring the KMS cluster. We need to setup the KMIP server by clicking on the Icon for it in the top menu.

Then it is time to enable the KMIP server by clicking the word disable, then checking the enable box, then saving that setting, and from what I experienced, even if you hit the save button it doesn't turn the service on until you hit the Apply button in the lower right. We also need to make note of the port number of 5696 that the server uses for later configuration in vCenter.

We will want to then choose the User tab and click on it and create a user. If you see a message that says the KMIP server is disabled, go back and re-enable the server and make sure to hit Apply after saving. In my case I named the user the same as the vcenter that was going to be using this KMS KeyControl system. Do not specify a password here as it will mess things up in later steps. This is left blank intentionally in accordance with the documentation received from HyTrust.

I will go ahead and click create on that user as shown above, and then click to select the vCenter user that was just created and choose the Download Certificate from the Action menu. This will complete the actions we need to take in the HyTrust GUI.

We now need to go into vCenter and configure our KMS server. At the vCenter level in the Web Client we will go to the Configure tab and then on the left nav column choose Key Management Servers. Then click the green + to add KMS.

Here we will enter in a name for the KMS cluster, a FQDN for the server, IP address and port information, this is port 5696 that we noted from enabling the KMIP server in the HyTrust GUI earlier. I will then click ok and set that as the default KMS for the Cluster. Then click trust to accept the Certificate from Keycontrol.

Now we are back at the KMS screen in vCenter and we notice that we have an error message that the connection status is "Cannot establish trust connection". It explains if you click details that you need to generate a Certificate for the cluster, which we already did in steps up above in the HyTrust GUI.

The next step is to import that certificate that you downloaded earlier from the vCenter user tab inside of the HyTrust UI, and now use it to establish trust between vCenter and the KMS cluster. To do that we will click the Establish Trust with KMS ribbon at the top of the menu.

We will choose the last option on this screen. Upload certificate and private Key.

Extract the Zip file you downloaded from HyTrust UI earlier and upload the vCenter.pem Certificate for both fields, Certificate and Private Key and make sure after uploading that they match with the same Key in both fields.

You can now notice that our connection status has changed to Normal with a green check letting us know everything is communicating.

Now we are done adding the KMS to vCenter. Let's navigate over to the Cluster level, and look at the configure tab under vSAN General, we will choose the edit button on the top right to edit the disk configuration.

You will notice that when I select the Encryption option that the HyTrust KMS populates automatically since it is the only KMS installed. You also have the option of clicking the Erase Disks before use box, which will significantly reduce the chances of a data leak, and increase an attackers cost to view sensitive data. Once I click OK the cluster will do rolling disk group reformats in the vSAN cluster to enable the encryption feature.

Now our vSAN cluster is encrypted. It really doesn't take that much effort, was much longer to make this post up than to actually deploy the solution. For those that are in Healthcare with HIPA requirements or those in the Banking Industry with PCI Compliance to adhere to, this is a strong solution that is now built into vSAN, all it requires is a KMS provider and a little configuration and you are set. This solution uses data at rest encryption and ensures that anybody that walks out of your datacenter with a device will not have any useful data at all. It uses AES-256 bit encryption. I hope you have enjoyed this walkthrough of vSAN encryption and KMS provider setup. I would again like to thank HyTrust for providing the KMS for this demo. Cheers and Thanks for reading!

No comments:

Post a Comment