Configuring vSAN encryption for your private cloud

Encryption of vSAN data at rest requires a key management system (KMS). Key management for vSAN data encryption in Google Cloud VMware Engine uses Cloud Key Management Service for newly created private clouds by default, at no additional cost.

You can also choose to deploy an external KMS for encryption of vSAN data at rest from one of the supported vendors below. This page explains how to use an external KMS and encrypt virtual machine data at rest in VMware Engine.

For production workloads, follow the steps below to use the KMS from a supported vendor instead.

Default key provider

VMware Engine configures newly created private clouds to connect vCenter to a Google-managed key provider, leveraging Cloud KMS. Cloud KMS is highly available in all regions.

By default, VMware Engine enables vSAN encryption for data in all clusters as the clusters are created in a private cloud.

To perform key rotations in vSphere, see the VMware documentation Generate New Data-At-Rest Encryption Keys.

Supported vendors

To switch your active KMS, you can select a third-party KMS solution that's KMIP 1.1 compliant and is certified by VMware for vSAN.

The following vendors have validated their KMS solution with VMware Engine and published deployment guides and support statements:

Using a supported vendor

The KMS supplies encryption keys to vCenter over an IP network. You can deploy the KMS solution in Compute Engine or in VMware Engine (on a different ESXi cluster). We do not recommend deploying KMS on-premises because any WAN outage can adversely impact how the vSAN cluster functions.

Each deployment of a KMS requires some basic steps:

  • Create a Google Cloud project or use an existing one.
  • Create a new Virtual Private Cloud (VPC) network or choose an existing VPC network.
  • Connect your selected VPC network to the VMware Engine service using private services access.

Then, deploy the KMS in a Compute Engine VM instance:

  1. Set up required IAM permissions to deploy Compute Engine VM instances.
  2. Deploy the KMS in Compute Engine.
  3. Establish trust between vCenter and the KMS.
  4. Enable vSAN data encryption.

The following sections briefly describe this process of using one of the supported vendors.

Set up IAM Permissions

You need sufficient permissions to deploy Compute Engine VM instances in a given Cloud project and VPC network, connect your VPC network to VMware Engine, and configure firewall rules for the VPC network.

Project owners and IAM principals with the Network Admin role can create allocated IP ranges and manage private connections. For more information on roles, see Compute Engine IAM roles.

Deploy key management system in Compute Engine

Some KMS solutions are available in an appliance form-factor in Google Cloud Marketplace. You can deploy such appliances by importing the OVA directly in your VPC network or Google Cloud project.

For software-based KMS, deploy a Compute Engine VM instance using the configuration (vCPU count, vMem, and disks) recommended by the KMS vendor. Install the KMS software in the guest operating system. Create the Compute Engine VM instance in a VPC network that is connected to VMware Engine using private services access.

Establish trust between vCenter and the KMS

After deploying the KMS in Compute Engine, configure your VMware Engine vCenter to retrieve encryption keys from the KMS.

First add KMS connection details to vCenter. Then, establish trust between vCenter and your KMS. To establish trust between vCenter and your KMS, do the following:

  1. Generate a certificate in vCenter.
  2. Sign it using a token or key generated by your KMS.
  3. Provide or upload that certificate to vCenter.
  4. Confirm the connectivity status by checking the KMS setting and status in the vCenter server configuration page.

Enable vSAN data encryption

In vCenter, the default CloudOwner user has sufficient privileges to enable and manage vSAN data encryption.

To enable vSAN data encryption from the vSphere client, do the following:

  1. Navigate to an existing cluster.
  2. Click the Configure tab.
  3. Under vSAN, select Services
  4. Click the Encryption Edit button.
  5. In the vSAN Services dialog, enable Encryption.
  6. Select a KMS cluster.
  7. Complete your cluster configuration.

What's next