- Moving from native to standard KMS?
(question 8)
Yes. Define a
new key provider, set it as the new default provider for the cluster, and then
use the UI or PowerCLI to perform a shallow rekey/re-encrypt to the new
provider (instructions for rekeying are below). This process will cause vSphere
to re-encrypt the DEKs with a new KEK from the new key provider. A similar
process is available for vSAN, too (also below).
- VMware encrypt Horizon golden
image? If new VMs are created from the golden image, will they be
encrypted with the same or different key?
When you
create new VMs from the encrypted golden image, each new VM will inherit the
encryption status of the golden image. However, the encryption keys used for
each new VM can differ.
- Multiple KMS servers, will they be
used if one of the KMS is down?
We can have
multiple KMS servers, but only one can be set as the default.
- Import native keys to a KMS server?
Native Key
Provider is for use only within vSphere and does not support traditional KMS
connectivity. It is designed specifically for encryption in vSphere and does
not support KMIP or other protocols for key interchange.
- Maximum number of native keys
imported into vCenter during cross-vCenter vMotion?
vSphere 6.7
and Earlier: A maximum of 16 KMS servers per KMS Cluster is allowed. vSphere
7.0 and Later: In vSphere 7.0, Key Providers were introduced to replace KMS
Clusters. There is no limit on the number of Key Providers. However, there is
still a maximum of 16 KMS servers per Standard Key Provider. vSphere 7.0 Update
2 introduced Native Key Providers. There is no limit on the number of Native
Key Providers that can be created.
- Which native key is used for which
encryption?
There is
currently no method to tell which virtual machines are using a key provider
except by examining the .vmx file for each virtual machine. To work around
this, we suggest setting the default key provider as desired, then
re-encrypting the virtual machines to ensure they’re using the key provider you
want.
- If ESXi is not in contact with the
native key provider, will any alarms be triggered? What happens if vCenter
is down?
There is no
immediate impact on encrypted virtual machines while vCenter Server is offline.
When using a properly configured Native Key Provider, each ESXi host in a
cluster has a copy of the KDK stored and can operate independently.
- Is an encrypted VM exportable with
OVF? How to decrypt a VM?
Can I export
an OVF/OVA of a VM with a vTPM? Virtual machines with a vTPM device do not
support the OVF/OVA template format directly. You cannot export a VM with a
vTPM device to an OVF/OVA file using the vSphere Client. The vTPM device must
be removed before exporting the VM as an OVF/OVA template. The OVF Tool can
automate this process by adding a vTPM placeholder attribute. See the section
“TPM as a Virtual Device in OVF” in the OVF Tool User Guide for more details.
Can I import
an OVF/OVA with a vTPM? When importing an OVF/OVA into vSphere using the
vSphere Client, a vTPM device must be manually added to the VM after import.
The OVF Tool can automate this process by parsing a vTPM placeholder attribute.
See the section “TPM as a Virtual Device in OVF” in the OVF Tool User Guide for
more details.
- When moving an
windows 11 encrypted VM to another vCenter?
Yes, you can
remove encryption and it shouldn't affect the vm working but the vcenter where
it is getting backed up should have old key added.
Please take
time to test this configuration out.
10.
Backup of encrypted VM (flat and guest OS backup) using Veeam and restoring on
a different vCenter?
The
destination vCenter should have the key! Set up policies on backup and restore
operations. Not all backup architectures are supported. See Virtual Machine
Encryption Interoperability. Set up policies for restore operations. Because
backup is always in cleartext, plan to encrypt virtual machines right after the
restore is finished. You can specify that the virtual machine is encrypted as
part of the restore operation. If possible, encrypt the virtual machine as part
of the restore process to avoid exposing sensitive information. To change the
encryption policy for any disks associated with the virtual machine, change the
storage policy for the disk. Because the VM home files are encrypted, ensure
that the encryption keys are available at the time of a restore.
- When the ESXi goes down or needs to
be reinstalled, what key needs to be stored to get the VMs back up and
running?
The Native Key
Provider KDK is stored in the encrypted configuration. If a TPM is present and
configured, it will be used to help protect the encrypted configurations.
Ensure that replicated copies of virtual machines encrypted with vSphere
Virtual Machine Encryption have access to the encryption keys at the recovery
site. For standard key providers, this is handled as part of the design of the
Key Management System, outside of vSphere. For vSphere Native Key Provider,
ensure that a backup copy of the Native Key Provider key exists and is protected
against loss.
References
taken :
