MENU

Encryption of VMware vSphere 6.5 virtual machines and vMotion migrations. And their performance

Posted by Alex Samoylenko on January 26, 2017
Share on Facebook0Share on Google+0Share on LinkedIn0Share on Reddit17Tweet about this on Twitter0
5/5 (2)
5/52

As many admins of virtual infrastructures know, for the first time ever, VMware vSphere 6.5 received the long awaited encryption feature of both virtual disks content and vMotion hot migrations.

The VMs encryption works based on AES-NI algorithm, and the key management is carried out based on KMIP 1.1 standard. When I/O operation comes to the disk of the virtual machine, it is immediately encrypted on-the-fly, which provides complete security against data security attack.

Not only virtual disks, but also VMX configuration files, snapshot files and all other file objects related to the virtual machine are encrypted.

VM objects encryption is fulfilled externally. This way the guest OS doesn’t have access to the encryption keys. Encrypted virtual machines are always transferred between the ESXi hosts with vMotion, which is also encrypted.

VM encryption manageability

To start virtual machine encryption, an appropriate storage policy should be assigned to it:

 Edit VM Storage Policies

How VM Encryption in VMware vSphere 6.5 works:

  • User assigns VM Encryption policy at the virtual machine level.
  • For the VM, a random key is generated and encrypted with a key from the key manager (KMS key).
  • When VM is switched on, vCenter server receives the key from the Key Manager and sends it to VM encryption Module on ESXi server, which unlocks the key in the hypervisor.
  • Next, all I/O operations are carried out through encryption module, encrypting all input and output SCSI-commands transparently for guest OS.

All those things are compatible with third-party key management systems (and requires one of them) built on standard KMIP of version 1.1 or higher:

VM Encryption How it works

Virtual Machines encryption options

To decrypt virtual machine and then store it in regular format, just set default storage policy (Datastore default).

Also, there is special PowerCLI cmdlets, which can encrypt or decrypt VM and detect which of them are encrypted at the moment. For example, this way you can encrypt VM with default encryption policy in the last PowerCLI update:

vCenter works just as a client in the encryption system. For key handling, Key Management Server (KMS) is used.

who manages vm encryption

In privileges control mechanism, there is now new No Cryptography Administrator role. If it is assigned, the following privileges will be denied to standard administrator:

  • Manage key servers
  • Manage keys
  • Manage encryption policies
  • Console access to encrypted VMs
  • Upload/download encrypted VMs

new role no cryptography administrator

Any external systems working after KMIP standard can be used as KMS:

Key Managers

When using VM encryption, the following things should be considered:

  • Yes, you will definitely need key management system (external Key Management Server).
  • Backup options are supported through Ethernet only (no SAN-to-SAN backup).
  • If you make backup copy for regular backup method, it will be unencrypted, if you recover it – everything will comply with target storage policy (that is, VM can appear to be unencrypted after the recovery).
  • The vCenter server can’t be encrypted itself – otherwise, it couldn’t be switched on at all.
  • Also, the following options are not supported:
    • Suspend/resume
    • VM encryption with snapshots and creation of snapshots for encrypted VMs
    • Serial/Parallel port
    • Content library
    • vSphere Replication

For vMotion, encryption works on the VM-level, and for synchronization data transfer 256-bit encryption keys are used. Encryption of the vMotion traffic works on VMkernel level with widely used algorithm AES-GCM (Advanced Encryption Standard / Galois Counter Mode).

VM options

There are 3 policies for encrypted vMotion:

  • Disabled – switched off.
  • Opportunistic – encryption only in case it is supported by source and target host ESXi, otherwise vMotion will be unencrypted.
  • Required – will certainly be used.

Moving machines between the hosts is fulfilled by the exchange of one-time keys, which are generated and served by vCenter server, rather than KMS.

In general, encryption of virtual machines and vMotion migrations is great stuff, but keep in mind you will need external KMS server for that.

Also, recently VMware published another interesting technical paper VMware vSphere encrypted vMotion architecture, performance, and best practices” on different aspects of mechanism of virtual machines encrypted migration between the hosts.

Experiments described in the open document have proven the following:

  • vSphere 6.5 Encrypted vMotion migration works almost with the same speed vMotion does
  • CPU encryption load is low due to the optimizations made in the vMotion code
  • vSphere 6.5 Encrypted vMotion is the same reliable as regular vMotion

For example, let’s see the testing results of vMotion hot migration performance in enterprise infrastructure for virtual machine with Redis database manager.

vMotion performance

Here is Microsoft SQL Server virtual machine migration for a long distance at varying network latency, which depends on datacenters location:

SQL Server VM Migration Duration

There are several more interesting pictures in the document, but there is only one conclusion – encrypted vMotion almost doesn’t affect virtual infrastructure performance.

Related materials:

 

Views All Time
10
Views Today
21

Please rate this

To download the software products, please, make your choice below. An installer link and a license key will be sent to the e-mail address you’ve specified. If you consider StarWind Virtual SAN but are uncertain of the version, please check the following document Free vs. Paid. The recent build of Release Notes. A totally unrestricted NFR (Not For Resale) version of StarWind Virtual SAN is available for certain use cases. Learn more details here.



Return to all posts

Installing Exchange Server 2016 on Windows Server 2016
Design a ROBO (Part 1): Introduction and high-level design
The following two tabs change content below.
Alex Samoylenko
Alex Samoylenko
Virtualization technology professional. 10 years ago he built #1 website on virtualization in Russia. Alex runs his own virtualization-focused company VMC. He is a CEO of a mobile game publisher Nova Games and a CEO of an international dating site