Configure vSAN Encryption using vSphere Native Key Provider

Starting with vSphere 7.0U2, vSphere customers can use the native key provider built into vCenter for VM and Datastore encryption purposes. Traditionally, before this customers were dependent on 3rd party solutions like Hytrust for key management solutions.

In this blog we will be talking about configuring datastore level vSAN encryption on an existing configured vSAN cluster which will allow data at rest encryption . This is different from VM encryption and is slightly complex than that.

Enabling Data-At-Rest Encryption on a New vSAN Cluster is easier than Enabling Data-At-Rest Encryption on Existing vSAN Cluster due to the existence of virtual machines on the cluster and automatic disk reclaiming (must be set to manual) .

Navigate to the vCenter/Configure tab. Select Key Providers under Security:

• Click ADD, and Add Native Key Provider:

• Give the Native Key Provider a name.
• Once created, you must backup the Native Key Provider before it becomes active:
• Backup the Native Key Provider with a password (recommended), enable TPM if your host supports it. Also ensure to store the backup at a safe location.

Note : It’s important that you save the vSphere native key provider and store at a safe location, because it will be required to restore if you ever get into that situation during a state of disaster.

• For existing vSAN cluster, migrate all the VMs off to another storage temporarily.
• Disable vSphere HA

• Remove vSAN from the cluster by turning it off – https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan-planning.doc/GUID-BA802B7B-1014-4F45-8237-E205E6B0A573.html
• Wipe out vSAN partition from all drives, using the below commands
  • Logon to each ESXi host using SSH :
  • List the disks per host : esxcli vsan storage list 
  • Remove the partition using UUID for each disk : esxcli vsan storage remove –uuid <uuid>

• Now , create a new vSAN cluster

• Configure vSAN services and enable Data-at-Rest Encryption, use the key created earlier. Note that Wipe residual data will take sometime. It can take upto 5-6 hours based on the number of nodes in the cluster.

• Claim the disks manually for the vSAN cluster (7 capacity/1 cache per host) in the next screen.
• Validate the configuration and click Finish.
• Migrate Virtual machine back to the vSAN datastore and re-enable vSphere HA

That completes the task of enabling vSphere native key based vSAN encryption on an existing vSAN cluster.

Reference:

• https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-2F18E7A0-707F-4739-A0B4-9A363F1C3213.html