Encryption at rest for VMware on IBM Cloud

Encryption at rest for VMware on IBM Cloud

One of the key topics we covered as part of our Fast Start education was encryption at rest for VMware on the IBM Cloud. There are many options for encrypting your workloads at rest, including:

  • VMware vSAN encryption
  • VMware vSphere encryption
  • HyTrust Data Control, part of IBM Cloud Secure Virtualization
  • Any other existing encryption solution you wish to bring to IBM Cloud

The first three offerings are available today directly from IBM Cloud for VMware Solutions, although some assembly is required in each case. There are important tradeoffs between these options that you need to take into consideration, such as ease of use, interoperability with other solutions like workload migration tooling, and the nature of what is encrypted. The following table that I shared at Fast Start summarizes the differences between these solutions:

Comparison vSAN encryption vSphere encryption HyTrust Data Control
Encryption type Datastore disks encrypted @ hypervisor

Secures: disk drives

VM disks encrypted @ hypervisor

Secures: VMDK files, disk traffic en route to datastore

Agent-based encryption of disks within VM

Secures: VMDK files, disk traffic en route to datastore

Key management External KMS must be provided (not included) supporting KMIP 1.1 (e.g., IBM KMIP for VMware, IBM SKLM, or HyTrust Key Control) External KMS must be provided (not included) supporting KMIP 1.1 (e.g., IBM KMIP for VMware, IBM SKLM, or HyTrust Key Control) HyTrust Key Control (included)
Additional capabilities Together with HyTrust Cloud Control, provides advanced access control, auditing, approval, and compliance capabilities; and enables Boundary Control for geofencing and hardware trust
Cost
  • vSAN Enterprise is required (per socket)
  • Key management server
Key management server
  • HyTrust Data Control (per socket)
  • HyTrust Cloud Control (optional, per socket)
Limitations
  • Not compatible with other storage types (e.g., IBM Cloud Endurance storage, NetApp ONTAP Select)
  • Does not encrypt storage traffic in flight between hosts
Eliminates benefit of vSAN deduplication and compression Eliminates benefit of vSAN deduplication and compression
Migration Compatible with all migration technologies
  • Compatible with Veeam
  • Compatible with VMware SRM when using array based replication
  • Not currently compatible with VMware HCX
  • Not currently compatible with Zerto
  • Not currently compatible with vSphere replication
  • Not currently compatible with cross-vCenter vMotion
Compatible with all migration technologies provided that HyTrust key management server availability and host compliance (if applicable) are maintained across sites. Some extra recovery steps are required post migration if the workload IP addressing has changed.

File encryption with public-key cryptography

File encryption with public-key cryptography

Public-key cryptography is not suitable for encrypting large files. A naive approach to encrypting a large file will return an error if the file is larger than the RSA key:

[smoonen@smoonen encryption]$ dd if=/dev/zero bs=1024 count=1024 | openssl pkeyutl -encrypt -pubin -inkey pubkey.pem
Public Key operation error
140544802154400:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151:

If you want to accomplish asymmetric encryption of large files, the general approach is to encrypt the file using symmetric cryptography, and encrypt the symmetric key using public-key cryptography. The OpenSSL smime command uses this approach, but it does not support extremely large files.

To support this case, I’ve written some simple file encryption shell scripts which I’ve posted on GitHub. These scripts are as follows:

  • genkeypair generates a private and public key pair
  • encrfile encrypts one or more files using AES-256 encryption, encrypts the AES-256 keys using public-key encryption, and saves the encrypted key as part of the encrypted file
  • decrfile decrypts a single file previously encrypted by encrfile, by extracting the encrypted AES-256 key, decrypting it using public-key encryption, and then decrypting the file itself. The decrypted data is sent to stdout.