Previously we reviewed some important characteristics and tradeoffs for various encryption at rest solutions for VMware on IBM Cloud. Below are some more detailed decision matrices for encryption both in motion and at rest.
Encryption in motion
|Subject||Encryption layer||Encryption method||Notes|
|Application traffic||Network or lower||None||There are no established mesh encryption technologies for VXLAN or Geneve.|
|Transport||TLS||This is normally enabled in application specific configuration. Special care must be taken for many requirements, e.g., to exclude older TLS and SSL versions, exclude vulnerable ciphersuites, enforce the use of appropriate certificates, and use FIPS 140-2 if required.|
|vSAN||Application||None||Update January 2021: Beginning with vSphere 7.0u1, you can enable data–in–transit encryption for host–to–host vSAN traffic.|
|vMotion||Application||Proprietary||This is enabled in a VM’s options, and can be set to disabled, opportunistic (default), or required.|
|Site to site||Network||VMware HCX (IPsec)||HCX uses a proprietary and highly efficient layer 2 transport to convey traffic from site to site through one or more IPsec tunnels using NIST Suite B AES-GCM encryption. Site to site vMotion is also supported with WAN optimization of the vMotion traffic.|
|IPsec||IPsec connections between sites can use a variety of solutions, including NSX ESG, FortiGate virtual or physical appliance, or vSRX appliance. Occasionally L2VPN may be used in combination with IPsec. Occasionally this may be combined with GRE encapsulation to alleviate addressing and routing problems.|
Encryption at rest
Note that in the table below:
- Update March 2020: vSphere encryption is now compatible with vSphere replication for vSphere version 6.7 Update 1 and newer.
- While IBM Cloud Object Storage (COS) cannot function as a VMware vSphere datastore, it may be used for other aspects of your VMware environment, such as Veeam backup repositories or data accessed directly by your applications. Compatibility statements for Cloud Object Storage are not applicable since it does not serve as disk storage for virtual machines.
- IBM Key Protect and IBM Hyper Protect Crypto Services are IBM Cloud key management service offerings. These interface directly with some IBM Cloud services like COS, and indirectly with VMware vSphere and vSAN encryption using the IBM Cloud KMIP for VMware intermediary service. Additionally, HyTrust Data Control is now integrated with IBM Hyper Protect Crypto Services as an optional HSM.
- IBM Security Key Lifecycle Manager (SKLM) and IBM Guardium Data Encryption are two key management and encryption software offerings from IBM.
- Compatibility statements imply “when properly configured.” For example, the HyTrust Key Control and Guardium KMS must be remain available or must be recovered in case of a disaster; and Veeam in some cases is limited to the HotAdd transport mode.
- HyTrust Key Control can be deployed as a standalone KMS, but it also serves as the underlying KMS for HyTrust Data Control. HyTrust Cloud Control offers advanced VM placement policy control and geofencing when combined with HyTrust Data Control.
|IBM Cloud Object Storage||IBM managed keys (native)||n/a||IBM||IBM||All objects||TLS||n/a||n/a||n/a||n/a||n/a||n/a||n/a|
|IBM Key Protect (KP) or Hyper Protect Crypto Services (HPCS)||IBM KP or HPCS||Customer||IBM||Bucket||TLS||n/a||n/a||n/a||n/a||n/a||n/a||n/a|
|IBM Cloud storage (Endurance, Performance) × (file, block)||IBM managed keys (native)||n/a||IBM||IBM||Entire volume||No||n/a||Yes||Yes||Yes||Yes||Yes||No|
|vSphere encryption||IBM KP or HPCS||Customer||IBM||VM disk||Yes||n/a||No||Yes||No||No||Yes||No|
|IBM SKLM||Customer||Customer||VM disk|
|HyTrust Key Control||Customer||Customer||VM disk||Yes||n/a||No||Yes||No||No||Yes||No|
|HyTrust Data Control||HyTrust Key Control with optional HPCS||Customer||Customer||VM disk||Yes||n/a||Yes||Yes||Yes||Yes||Yes||Yes|
|IBM Guardium Data Encryption||Guardium||Customer||Customer||VM disk||Yes||n/a||Yes||Yes||Yes||Yes||Yes||No|
|vSAN storage||vSAN encryption||IBM KP or HPCS||Customer||IBM||vSAN drives||No||Yes||Yes||Yes||Yes||Yes||Yes||No|
|IBM SKLM||Customer||Customer||vSAN drives||No||Yes||Yes||Yes||Yes||Yes||Yes||No|
|HyTrust Key Control||Customer||Customer||vSAN drives||No||Yes||Yes||Yes||Yes||Yes||Yes||No|
|vSphere encryption||IBM KP or HPCS||Customer||IBM||VM disk||Yes||No||No||Yes||No||No||Yes||No|
|IBM SKLM||Customer||Customer||VM disk||Yes||No||No||Yes||No||No||Yes||No|
|HyTrust Key Control||Customer||Customer||VM disk||Yes||No||No||Yes||No||No||Yes||No|
|HyTrust Data Control||HyTrust Key Control with optional HPCS||Customer||Customer||VM disk||Yes||No||Yes||Yes||Yes||Yes||Yes||Yes|
|IBM Guardium Data Encryption||Guardium||Customer||Customer||VM disk||Yes||No||Yes||Yes||Yes||Yes||Yes||No|