Using HyTrust to encrypt VMDKs on VSAN

hytrustI’ve had an opportunity recently to get some hands-on with HyTrust’s Data Control product to do some data encryption of virtual machine disks in my Virtual SAN 6.0 environment. I won’t deep dive into all of the “bells and whistle” details about HyTrust – my good buddy Rawlinson has already done a tremendous job detailing that in this blog post. Instead I am going to go through a step-by-step example of how to use HyTrust and show how it prevents your virtual machine disk from being snooped. In my case, I am encrypting virtual machine disks from VMs that are deployed on VSAN, as I have had this question in the past, i.e. can VMDKs on VSAN be encrypted? The answer is yes. This post will show you how.

Part 1: Initial Configuration & Setup

The very first step is to download and deploy the HyTrust KeyControl Server Appliance to your infrastructure. The appliance uses 1 vCPU, 1GB of memory and 8GB of disk space. It provides a web interface from which the various management tasks can be done. From this interface, users, groups and domains can be created, configured and managed. In the Cloud View, an administrator would create a Cloud VM Set as an organization entity for storing VMs.

Also in the Cloud view, there is the ability to download the HyTrust DataControl Agent. For VMs that wish to have their disks encrypted, this agent needs to be installed. Simply point a web browser from the VM to the appliance, login, download and install the agent. Once the agent is installed, the HyTrust UI can be launched from the Guest OS. The first step is to register the VM with the KeyControl Appliance by clicking on the “Register” button shown below.

1. hytrust-agent-on-winAlong with the connection information to the Key Control Server, the Cloud VM Set name is also provided, as shown below.

3. register-vmWhen the registration process is complete, the VM should show up in the KeyControl Appliance Cloud view:

4. vm-is-registeredOur next step is to encrypt one or more virtual machine disks (VMDK) belonging to the VM. I created a new VMDK and added it to the VM. I then brought it online and initialized it via the Windows Disk Management tools as an E: drive. One thing to note is that in the current version of HyTrust, it can only encrypt disks that have an MBR (Master Boot Record) partition table format. They currently cannot encrypt disks that have a GPT format. If you try to encrypt a disk with this partition format, you will get the following error:

5. no support for GPTSo, MBR partitions it is then. You can initialize the disk with MBR very simply with the PowerShell command, Initialize-Disk 2 –PartitionStyle MBR. With MBR partition format on the disk, we can now begin the encryption process via the HyTrust GUI on our VM. The new drive E:\ is visible, so right-click and select “Add and Encrypt”.

7. add-and-encryptThe following pop-up will appear, stating that encryption has started.

8. encrypt-has-startedAnd the progress of the encryption can be monitored from the HyTrust UI on the VM:

9. encrypt-progressOnce the encryption process completes, it is now possible to check the status on both the HyTrust UI in the VM and via the KeyControl Server appliance, shown below.

11. vm-registered-disk-encryptedThe VMDK is now encrypted.

Part 2: Security Test

In this next section, I want to indeed verify that HyTrust encryption is indeed working. What I will do is create some top-secret files on my VMDK. Then assume that someone has detached the VMDK from my VM, and attached it to their VM in an attempt to read the contents of the top-secret files. Let’s see what happens:

First step, create a very secret file on an encrypted VMDK:

12. create-a-secret-fileLet’s remove the VMDK from the VM, making sure that we do not check the option to delete the files from datastore.

16. remove-disk-from-vm-don't-delete-filesNow attach the VMDK to another VM, and see if we can access the contents:

15. add-disk-to-new-vm-2Now the test – can I read the contents of this VMDK on another VM? The answer is no. While the disk is seen successfully, no valid partitions are recognized and thus no contents. Because of this, the new Guest OS offers to format the disk.

17. disk-not-access-on-new-vmThe guys over at HyTrust even said that we could use an open source data forensics tool like The Sleuth Kit/Autopsy – If we went through the same scenario where we simulate someone “stealing” an encrypted VMDK and then loading it up in Autopsy and show that everything is obfuscated by the encryption and nothing is detected at all.

The final step is to place the VMDK back on the original VM and ensure everything is OK. Simply repeat the steps that I went through previously to add the encrypted VMDK back to the original VM. One minor nit is that I had to run a detach and attach command to get the drive and contents visible again. This was very simply done using the CLI commands “hcl detach” and “hcl attach”, which come as part of the HyTrust agent on the VM. However the guys at HyTrust are looking in why this step is needed.

 After this step, everything is good to go once again.


So there you have it. If VMDK encryption is something you really need, it works perfect on virtual machines on VSAN. Now I’ve barely scratched the surface of what this product can do for you. But if you’d like to learn more, check out HyTrust’s web site.

 On another note, this will be part of our excellent VSAN [A-Z] hands-on-lab (HOL) at VMworld 2015. The HOL id is #1608, and if you want to go through various features and functionality of VSAN, including the ecosystem around VSAN, this is the lab for you. As part of that ecosystem, HyTrust can provide virtual machine disk encryption if needed. If you are going to VMworld 2015, sign up for the lab to learn more.

One Reply to “Using HyTrust to encrypt VMDKs on VSAN”

Comments are closed.