Category Archives: VMware

vSphere Encryption- Knowing your limits

SecurityI’ve been running a Proof of Concept system for vSphere Encryption using vSphere 6.5u1 and a HyTrust KeyControl 4.0 KMS cluster. This has been very straightforward to implement and use and there’s plenty of documentation out there on how to do so, but in this post I’ll be highlighting some of the limitations. A few of these are things you can’t do that you may currently do day-to-day with normal VMs but there’s usually a sound technical reason why it’s not possible to do so with an encrypted VM.

Encrypting and Decrypting

The power state of a VM limits some encryption processes. For example, a powered-on Virtual machine can not be encrypted or decrypted. This example shows what happens when PowerCLI (with the encryption module described here) is used to encrypt a running VM:

PS C:\> Get-VM -Name "KMSTest6" | Disable-VMEncryption
Disable-VMEncryption : The VM can only be decrypted when powered off,
 but the current power state of KMSTest6 is PoweredOn!

The encryption can be changed (a re-key operation), possibly to a different KMS server- however whilst a “Shallow Re-key” operation where the key is re-encrypted is fine, the “Deep Re-key” where the disk itself is re-encrypted with the new key is not possible when the VM is powered on.

Snapshots and Clones

Similarly, a snapshot including memory of a running VM is not possible. It is possible to snapshot a powered off VM, or a running VM without the memory state (which creates a powered-off snapshot), but not to include the memory. This makes sense as the VM Encryption process runs as the hypervisor writes to disk, memory would be outside this process and potentially reveal unencrypted data in the snapshot.

It’s also not possible to decrypt or encrypt a VM with snapshots:

PS C:\> Get-VM -Name "KMSTest5" | Enable-VMEncryption
Enable-VMEncryption : KMSTest5 has snapshots,
 please remove all snapshots and try again!

You can however clone an encrypted VM- the resulting clone is also encrypted and uses the same keys. vMotion also works as expected.

Replication

vSphere Replication does not work with encrypted VMs. Replication can be configured but will fail when it tries to sync.

image

Licensing

In most environments where vSphere Encryption is in use, the hosts will probably be all licensed with Enterprise Plus (see the license comparison table). However, if you are running a mixture of licenses (including any regular non-plus Enterprise licenses) the limitations of  those licenses comes into play. It’s not possible to turn on encryption on a VM allocated to a host with anything but a full Enterprise-Plus license.

Any hosts with Standard, or the no longer available to purchase Enterprise licenses will not allow their VMs to be encrypted- or for encrypted VMs to be migrated onto them. Additionally if you have one or more of these “inferior” hosts in a cluster you will not be able to power on an encrypted machine in that cluster- even if other hosts are licensed to Enterprise Plus.

Disks

There’s lots of flexibility down at the disk level. You can use different keys (or even KMS Clusters) for different virtual hard disks (i.e. each .vmdk has a different key) and you can take an encrypted disk and attach it to another VM. The limitation here is you cannot attach an encrypted virtual hard disk to an unencrypted VM- this again makes sense as the key information in the configuration would then be in the clear.

Summary

The encryption model introduced in vSphere 6.5 is a very useful feature and straightforward to implement however consideration needs to be taken on the continuing activities surrounding virtual machines post-encryption to ensure that operational processes are still valid.


Advert:

VMworld 2017 Europe Tuesday Keynote

Even when VMworld US had been weeks in advance of the European event there had been a lot in common between the keynotes so with the two legs being just days apart this year more similarity was inevitable. My write-ups of the VMworld 2017 US keynotes can be found elsewhere on this blog, so I’ll be trying to avoid too much duplication.

Jean-Pierre Brulard kicked off the proceedings touching on the tragic events that occurred in Barcelona only weeks ago before welcoming the eleven thousand visitors to VMworld who had travelled from 95 countries across the globe.

Continue reading

VMworld 2017 Europe Monday

clip_image001Yesterday the VMworld faithful started arriving at El-Prat Airport in Barcelona, heading to registration at the Fira Gran Via, and checking into their hotels in the city. To get the event started the annual vRockstar gathering offered the chance to renew old friendships and make some new ones. This year vRockstar found a new home by the marina at the “Soho House” club. Thanks again to the organisers Patrick Redknap and Marco Broeken and the numerous sponsors they managed to persuade to dip into their pockets.

Monday morning, bright and early it was time to go back to the Fira and have the Monday morning explore. Monday is primarily Partner/TAM day but there are a number of sessions open to all attendees, plus the Hands-On Labs, Education Lounge, and VMTN Community area are all up and running in the VMVillage. Continue reading

Missing Content Libraries.

Symptoms

I came to deploy a Virtual Machine from a Content Library on vSphere 6.5 and discovered that the Content Library had disappeared.

clip_image001

Cause

The Content Library Service was stopped.

image

Attempting to start the service caused an error- both through the GUI and command line.

login as: root
VMware vCenter Server Appliance 6.5.0.10000
Type: vCenter Server with an embedded Platform Services Controller
[email protected]'s password:
Last login: Thu Sep 7 12:55:51 2017 from

[email protected] [ ~ ]# service-control --status vmware-content-library
Stopped:
vmware-content-library
[email protected] [ ~ ]# service-control --start vmware-content-library
  Perform start operation. vmon_profile=None, svc_names=['vmware-content-library'], include_coreossvcs=False, include_leafossvcs=False
  2017-09-07T13:27:38.208Z Service content-library state STOPPED
  Error executing start on service content-library. Details {
  "resolution": null,
  "detail": [
  {
  "args": [
  "content-library"
  ],
  "id": "install.ciscommon.service.failstart",
  "localized": "An error occurred while starting service 'content-library'",
  "translatable": "An error occurred while starting service '%(0)s'"
  }
  ],
  "componentKey": null,
  "problemId": null
  }
  Service-control failed. Error {
  "resolution": null,
  "detail": [
  {
  "args": [
  "content-library"
  ],
  "id": "install.ciscommon.service.failstart",
  "localized": "An error occurred while starting service 'content-library'",
  "translatable": "An error occurred while starting service '%(0)s'"
  }
  ],
  "componentKey": null,
  "problemId": null
  }
[email protected] [ ~ ]#

The symptoms possibly started following an upgrade of vCenter to 6.5 Update 1.

 

Solution

Removing the ts-config.properties files (see VMware KB2151085 here) allowed me to restart the service.

[email protected]</a> [ ~ ]# cd /etc/vmware-content-library/config
[email protected]</a> [ /etc/vmware-content-library/config ]# ls
  cls-config.properties ts-config.properties ts-config.properties.rpmnew vdcs-config.properties
[email protected]</a> [ /etc/vmware-content-library/config ]# cp ts-config.properties ts-config.properties.orig
[email protected]</a> [ /etc/vmware-content-library/config ]# cp ts-config.properties.rpmnew ts-config.properties.rpmnew.orig
[email protected]</a> [ /etc/vmware-content-library/config ]# mv ts-config.properties.rpmnew ts-config.properties

[email protected]</a> [ /etc/vmware-content-library/config ]# service-control --stop vmware-content-library;service-control --start vmware-content-library
  Perform stop operation. vmon_profile=None, svc_names=['vmware-content-library'], include_coreossvcs=False, include_leafossvcs=False
  Successfully stopped service content-library
  Perform start operation. vmon_profile=None, svc_names=['vmware-content-library'], include_coreossvcs=False, include_leafossvcs=False
  2017-09-07T13:29:15.212Z Service content-library state STOPPED
  Successfully started service content-library
ro[email protected]</a> [ /etc/vmware-content-library/config ]#

 

The Content Library however was still not visible until after a reboot of the vCenter Server Appliance.

image