{"id":34477,"date":"2018-09-18T09:00:08","date_gmt":"2018-09-18T07:00:08","guid":{"rendered":"https:\/\/nolabnoparty.com\/?p=34477"},"modified":"2023-07-16T11:27:56","modified_gmt":"2023-07-16T09:27:56","slug":"vsphere-vms-encryption-encrypt-virtual-machines-pt-3","status":"publish","type":"post","link":"https:\/\/nolabnoparty.com\/en\/vsphere-vms-encryption-encrypt-virtual-machines-pt-3\/","title":{"rendered":"vSphere VMs encryption: encrypt virtual machines - pt.3"},"content":{"rendered":"<p><img decoding=\"async\" class=\"aligncenter wp-image-34486 size-full\" title=\"virtual-machines-encryption-01\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2018\/08\/virtual-machines-encryption-01.jpg\" alt=\"virtual-machines-encryption-01\" width=\"602\" height=\"202\" \/><\/p>\n<p>Once the KMS Server has been configured and successfully added to the vCenter Server, you are able to encrypt virtual machines.<\/p>\n<p>The access to the encrypted virtual disk requires a correct key owned only by the <strong>virtual machine that manages the virtual disk<\/strong>. An unauthorized virtual machine that tries to access the encrypted VMDK without the correct key will receive only <strong>meaningless data<\/strong>.<!--more--><\/p>\n<p>&nbsp;<\/p>\n<h2>Blog series<\/h2>\n<p><a href=\"https:\/\/nolabnoparty.com\/en\/vsphere-vms-encryption-kms-server-installation-pt-1\/\">vSphere VMs encryption: KMS Server installation - pt.1<\/a><br \/>\n<a href=\"https:\/\/nolabnoparty.com\/en\/vsphere-vms-encryption-setup-vcenter-server-pt-2\/\">vSphere VMs encryption:\u00a0setup vCenter Server - pt.2<\/a><br \/>\nvSphere VMs encryption: encrypt virtual machines - pt.3<\/p>\n<p>&nbsp;<\/p>\n<h2>How to use encryption<\/h2>\n<p>Before proceeding with virtual machines encryption, some recommendation should be kept in mind to avoid problems.<\/p>\n<ul>\n<li>Platform Services Controller and vCenter Server virtual machines <strong>should not be encrypted<\/strong>.<\/li>\n<li>The support bundle used to decrypt a core dump is generated using the ESXi host key. If the host is rebootetd, the host key may change and the support bundle can no longer generated with a password or decrypt core dumps in the support bundle with the host key. For this reason if the host crashes you should <strong>retrieve the support bundle<\/strong> as soon as possible.<\/li>\n<li>Since .VMX files and .VMDK descriptor files contain the support bundle, <strong>do not edit<\/strong> these files otherwise the virtual machine becomes unrecoverable.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Encrypt a virtual machine<\/h2>\n<p>The encryption and decryption process of virtual machines is controlled by <strong>storage policies<\/strong>.\u00a0The virtual machine <strong>must be powered off<\/strong> before proceeding with encryption.<\/p>\n<p>From the vSphere Web Client right click the virtual machine to encrypt and select <strong>VM Policies &gt; Edit VM Storage Policies<\/strong>.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-34500 size-large\" title=\"virtual-machines-encryption-02\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2018\/08\/virtual-machines-encryption-02-600x395.jpg\" alt=\"virtual-machines-encryption-02\" width=\"600\" height=\"395\" \/><\/p>\n<p>From the <strong>VM storage policy<\/strong> drop-down menu, select the <strong>VM Encryption Policy<\/strong> option to encrypt the virtual machine.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-34502 size-large\" title=\"virtual-machines-encryption-03\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2018\/08\/virtual-machines-encryption-03-600x328.jpg\" alt=\"virtual-machines-encryption-03\" width=\"600\" height=\"328\" \/><\/p>\n<p>Click <strong>Apply to all<\/strong> then click <strong>OK<\/strong>\u00a0to proceed with encryption.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-34504 size-large\" title=\"virtual-machines-encryption-04\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2018\/08\/virtual-machines-encryption-04-600x328.jpg\" alt=\"virtual-machines-encryption-04\" width=\"600\" height=\"328\" \/><\/p>\n<p>When the encryption process has completed, go to the virtual machine\u2019s <strong>Summary<\/strong> tab. The icon indicates that the selected virtual machine is encrypted and in the <strong>VM Hardware<\/strong> widget, a new <strong>Encryption<\/strong> field specifies what components are encrypted.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-34508 size-large\" title=\"virtual-machines-encryption-05\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2018\/08\/virtual-machines-encryption-05-600x574.jpg\" alt=\"virtual-machines-encryption-05\" width=\"600\" height=\"574\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2>Encrypt the vSAN cluster<\/h2>\n<p>If you use <a href=\"https:\/\/nolabnoparty.com\/en\/virtual-san-2-node-cluster-installtion-robo-pt1\/\">vSAN<\/a> as datastore in your infastructure, you can enable encryption also on your\u00a0<strong><span id=\"GUID-F3B2714F-3406-48E7-AC2D-3677355C94D3__productname_7FD6EC53719643BAA01BD8EE7F41D69D\" class=\"ph productname\">vSAN<\/span>\u00a0cluster<\/strong>.<\/p>\n<p>From the vSphere Web Client, select the vSAN cluster and go to <strong>Configure<\/strong> tab. Select <strong>General<\/strong> under <strong>vSAN<\/strong> and click the <strong>Edit<\/strong> button in the <strong>vSAN is Turned ON<\/strong> area.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-34514 size-large\" title=\"virtual-machines-encryption-06\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2018\/08\/virtual-machines-encryption-06-600x255.jpg\" alt=\"virtual-machines-encryption-06\" width=\"600\" height=\"255\" \/><\/p>\n<p>Enable <strong>Encryption<\/strong> and select the <strong>KMS cluster<\/strong> to use. Click <strong>OK<\/strong> to apply encryption to your vSAN cluster.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-34516 size-full\" title=\"virtual-machines-encryption-07\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2018\/08\/virtual-machines-encryption-07.jpg\" alt=\"virtual-machines-encryption-07\" width=\"557\" height=\"492\" \/><\/p>\n<p>Since encryption affect virtual machines <a href=\"https:\/\/www.vmware.com\/content\/dam\/digitalmarketing\/vmware\/en\/pdf\/techpaper\/vm-encryption-vsphere65-perf.pdf\" target=\"_blank\" rel=\"noopener\">performance<\/a>, it should be applied only to virtual machines that require a <strong>high level of security<\/strong>.<\/p>\n<p><img decoding=\"async\" title=\"signature\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/images\/firma.jpg\" alt=\"signature\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Once the KMS Server has been configured and successfully added to the vCenter Server, you are able to encrypt virtual machines. The access to the encrypted virtual disk requires a correct key owned only by the virtual machine that manages the virtual disk. An unauthorized virtual machine that tries to access the encrypted VMDK without the correct key will receive only meaningless data.<\/p>\n","protected":false},"author":3,"featured_media":34486,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rop_custom_images_group":[],"rop_custom_messages_group":[],"rop_publish_now":"initial","rop_publish_now_accounts":{"linkedin_93tdZWzMZc_93tdZWzMZc":"","facebook_2879994398731222_17841400390232720":"","twitter_113568041_113568041":"","mastodon_115463926174894442_115463926174894442":""},"rop_publish_now_history":[],"rop_publish_now_status":"pending","footnotes":""},"categories":[903,2701],"tags":[1891,1890],"class_list":["post-34477","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vmware-en","category-vsphere-en","tag-encrypt","tag-virtual-machines","has_thumb"],"_links":{"self":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/34477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/comments?post=34477"}],"version-history":[{"count":0,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/34477\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media\/34486"}],"wp:attachment":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media?parent=34477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/categories?post=34477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/tags?post=34477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}