Tag Archives: encryption

vSphere Encryption- Knowing your limits

SecurityI’ve been running a Proof of Concept system for vSphere Encryption using vSphere 6.5u1 and a HyTrust KeyControl 4.0 KMS cluster. This has been very straightforward to implement and use and there’s plenty of documentation out there on how to do so, but in this post I’ll be highlighting some of the limitations. A few of these are things you can’t do that you may currently do day-to-day with normal VMs but there’s usually a sound technical reason why it’s not possible to do so with an encrypted VM.

Encrypting and Decrypting

The power state of a VM limits some encryption processes. For example, a powered-on Virtual machine can not be encrypted or decrypted. This example shows what happens when PowerCLI (with the encryption module described here) is used to encrypt a running VM:

PS C:\> Get-VM -Name "KMSTest6" | Disable-VMEncryption
Disable-VMEncryption : The VM can only be decrypted when powered off,
 but the current power state of KMSTest6 is PoweredOn!

The encryption can be changed (a re-key operation), possibly to a different KMS server- however whilst a “Shallow Re-key” operation where the key is re-encrypted is fine, the “Deep Re-key” where the disk itself is re-encrypted with the new key is not possible when the VM is powered on.

Snapshots and Clones

Similarly, a snapshot including memory of a running VM is not possible. It is possible to snapshot a powered off VM, or a running VM without the memory state (which creates a powered-off snapshot), but not to include the memory. This makes sense as the VM Encryption process runs as the hypervisor writes to disk, memory would be outside this process and potentially reveal unencrypted data in the snapshot.

It’s also not possible to decrypt or encrypt a VM with snapshots:

PS C:\> Get-VM -Name "KMSTest5" | Enable-VMEncryption
Enable-VMEncryption : KMSTest5 has snapshots,
 please remove all snapshots and try again!

You can however clone an encrypted VM- the resulting clone is also encrypted and uses the same keys. vMotion also works as expected.

Replication

vSphere Replication does not work with encrypted VMs. Replication can be configured but will fail when it tries to sync.

image

Licensing

In most environments where vSphere Encryption is in use, the hosts will probably be all licensed with Enterprise Plus (see the license comparison table). However, if you are running a mixture of licenses (including any regular non-plus Enterprise licenses) the limitations of  those licenses comes into play. It’s not possible to turn on encryption on a VM allocated to a host with anything but a full Enterprise-Plus license.

Any hosts with Standard, or the no longer available to purchase Enterprise licenses will not allow their VMs to be encrypted- or for encrypted VMs to be migrated onto them. Additionally if you have one or more of these “inferior” hosts in a cluster you will not be able to power on an encrypted machine in that cluster- even if other hosts are licensed to Enterprise Plus.

Disks

There’s lots of flexibility down at the disk level. You can use different keys (or even KMS Clusters) for different virtual hard disks (i.e. each .vmdk has a different key) and you can take an encrypted disk and attach it to another VM. The limitation here is you cannot attach an encrypted virtual hard disk to an unencrypted VM- this again makes sense as the key information in the configuration would then be in the clear.

Summary

The encryption model introduced in vSphere 6.5 is a very useful feature and straightforward to implement however consideration needs to be taken on the continuing activities surrounding virtual machines post-encryption to ensure that operational processes are still valid.


Advert:

Checking Encryption Status of Remote Windows Computers

Using the manage-bde command you can check the Bitlocker encryption status on both the local Windows computer but also remote devices on the local area network. For example, to check the encryption status of the C: drive on the computer “WS12345” the following command could be used

manage-bde -status -computername WS12345 C:

and the results might look something like this:

BitLocker Drive Encryption: Configuration Tool version 10.0.14393
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Computer Name: WS12345

Volume C: [OSDisk]
[OS Volume]

Size:                 237.99 GB
BitLocker Version:    2.0
Conversion Status:    Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method:    AES 256 with Diffuser
Protection Status:    Protection On
Lock Status:          Unlocked
Identification Field: None
Key Protectors:
    Numerical Password
    TPM

Expanding on this we could wrap some PowerShell around the command and read in a list of hostnames from a text file and report on the encryption status of each.

Firstly we need to format the output of manage-bde to only show us the value of the “Conversion Status” field- PowerShell’s string manupulation can come in handy here- we can locate the “Conversion Status” line, check that it is present (if the computer is not on the network, or access is denied the manage-bde command will not return a status), and then trim back the line so we only have the value of the field. For example:

#Check the Encryption Status of the C: drive, filter to the Conversion Status line
$EncryptionStatus=(manage-bde -status -computername "$hostname" C: | where {$_ -match 'Conversion Status'})
#Check a status was returned.
if ($EncryptionStatus)
{
  #Status was returned, tidy up the formatting
  $EncryptionStatus=$EncryptionStatus.Split(":")[1].trim()
}
else
{
  #Status was not returned. Explain why in the output
  $EncryptionStatus="Not Found On Network (or access denied)"
}

Once this is working, it’s just a case of reading in the text file using the get-content cmdlet and outputting a result. The full code (Get-EncryptionStatus.ps1) I used is available for downloading and/or improving on GitHub here- https://github.com/isjwuk/get-encryptionstatus

The All New vSphere 6.5

vmworldHighlights

  1. A new version of VMware vSphere, 6.5, will be released shortly
  2. Migration/Upgrade tools from previous versions (including Windows vCenter) to new VCSA.
  3. VCSA Native High Availability
  4. VCSA Integrated VMware Update Manager
  5. Native vCenter Backup and Restore
  6. Improved Appliance Management
  7. vSphere Clients
  8. Encryption

New vSphere coming soon

VMware has bucked the trend in versioning adopted by other major software companies and decided not to call it’s new vSphere version “10” and opted for the more traditional “vSphere 6.5” to succeed version 6.0 which was originally released back in March 2015. Announced at VMworld Europe 2016 with GA to follow, vSphere 6.5 is a continuation of the product which forms the core of the Software Defined Datacentre chunk of VMware’s “Any Cloud” Cross-Cloud Architecture portfolio. A lot of work has been put into making the experience of installing and operating a vSphere virtualised environment easier; Ignoring any improvements under the hood, and just looking at what’s on the surface there’s a whole bunch of features designed to make life run smoother for the IT Professional, some of which are highlighted in this post.

The new vCenter Server Appliance is a core part to this simplicity, and VMware have answered the requirements of anyone currently sticking to the Windows-based vCenter. If you can get more features and more reliability for less cost and less effort then it’s definitely the way forwards in my opinion. Some of the features discussed here- notably Native HA and Backup/Restore- will only be available in the appliance version of vCenter.

VCSA Upgrade and Migration

 

image Again out to both simplify the life of IT Professionals and encourage vCenter Appliance adoption, VMware has put a lot of effort into creating straightforward, and comprehensive, upgrade and migration tools. As more and more operations and data are handled by vCenter it becomes more and more important that the system can be smoothly navigated from version to version with minimal human effort.

Migrations are possible from Windows vCenters running version 5.5 or 6.0, and both the embedded and external database topologies are supported. Additionally, the new vCenter will assume the identity of the old Windows vCenter so any external interfaces, scripts, and automation should continue to work post-migration.

VCSA Native High Availability

VCSA 6.5 offers a built-in high availability deployment taking away the need for any 3rd party clustering or database solutions. The appliance deploys as an active/passive pair (plus witness) which automatically sets up replication of the integrated database and required vCenter files. The basic setup option also places these nodes intelligently using DRS and SDRS technology and automatically creates the necessary affinity rules and private IP comms, keeping everything simple. For infrastructures with unique and challenging topologies, there’s still an advanced workflow that can be used.

image

Integrated VMware Update Manager

Prior to 6.5 using VUM to manage the patching of a vSphere infrastructure based on the vCenter Appliance has been, how can we put it?, “annoying”. After deploying the slick appliance it was then necessary to spin up (and license) a separate Windows VM just to handle the update system. This requirement has been removed in the new version- VUM is now integrated into the VCSA, enabled by default, and shares the same database instance. The new VUM integration also leverages the VCSA High Availability and Backup functionality.

Native vCenter Backup and Restore

Also new to the vCenter Server Appliance is integrated backup and restore functionality. A great step forward in the simplification of deploying a system this provides a built in solution to backup vCenter to an external location (SCP, SFTP, HTTPS locations for example) and then be able to recover by deploying a clean OVA and choosing the Restore option. image

 

Improved Appliance Management and Monitoring

The vCenter Server Appliance Management Interface- VAMI – has also had a makeover, with many features being added. The 6.0 version had an interface limited to changing IP and NTP settings, rebooting the appliance, and little else. 6.5 adds in built in monitoring of Network, CPU, Memory and the vPostgres database. There is also the option to configure Syslog for deeper external monitoring of the vCenter infrastructure- this allows fully verbose logs to be kept for auditing and troubleshooting processes.

image

vCenter Server Appliance 6.0 Management Interface

image

vCenter Server Appliance 6.5 Management Interface

vSphere Client(s)

Work continues to focus on delivering a fully functioned HTML5 client, but in the interim vCenter 6.5 will come shipped with a new (limited) HTML5 based “vSphere Client”- evolved from the current fling – as well as an improved flash based “vSphere Web Client”. Expect the “vSphere Client” to see continuous improvement and feature addition through the lifetime of the platform –driven through the Fling programme.

Encryption

As with the other topics here encryption in the new vSphere could easily be a post in itself (or a whole series), but to summarise the new features in this area, vSphere is now offering built-in VM encryption. The encryption happens between the VM and the storage so is invisible to the guest.

Local keys are generated within vSphere, and encrypted using keys held in an external (third-party) KMS- this would usually be managed by the IT Security team. Back in vCenter encryption is implemented through Storage Policies, so a VM can be encrypted simply by assigning the correct policy to it. Through the GUI (or API/PowerCLI) it’s possible to set  encryption covering  the Disks, the VMX/Swap files, or the whole lot on a per-VM basis. Through the API/PowerCLI it’s also possible to arrange encryption on a per-VHD level, potentially encrypting different disks on a VM with different keys.

VSAN encryption is on the way- there’s currently an ongoing beta – but will not be available in the 6.5 release. Based on the recent cadence I’d expect to see something in Spring 2017, but that’s just my speculation.

Summary

In summary, there’s lots to look for in the new vSphere release and in particular the vCenter Server Applicance. This week’s VMworld should reveal a lot more in depth into these advances.