Encrypting Data Service Manager databases with vSphere Native Key Provider

Following on from last weeks post on encrypting Kubernetes Persistent Volumes, I now wanted to see if I could use the vSphere Native Key Provider to encrypt databases provisioned by Data Services Manager version 2.1. The good news is that this is indeed possible, but we need to make some changes to the DSM Administrator Role’s privileges to enable it to perform encryption operations. Of course, the infrastructure policy used to provision the databases must also have a storage policy that has encryption. And, as stated in the previous article, this functionality is dependent on vSphere 8.0U3. This applies to both the vCenter Server and the ESXi hosts.

Without the Encrypt Privilege

When I initially tried to do this operation, I ran into the following issues. First issue was that, because DSM did not have the privileges to do an encrypt operation, the base OS disk of the database was left unencrypted. This meant that it was not possible to encrypt any additional volumes for use by the database itself:

I thought I would be clever, as it seems like the storage policy was reverting back to the default storage policy when it could not use the encrypted storage policy. So I set the default policy on the datastore to use encryption and retried. This is when I ran into the permissions issue:

Encrypt Privileges

Both these issues stem from the fact that the DSM Administrator role does not have the Cryptographic operations > Encrypt privilege. Let’s now give the DSM Administrator Role this additional privilege in vSphere. This is found under Administration > Roles:

Note that I have also enabled the Migrate privilege. This might be necessary if DRS kicks in and wishes to move the VM to another host. Without this privilege, it is possible that you might encounter this issue:

With these privileges added to the DSM Admin, we can proceed with deploying encrypted databases from DSM v2.1, using the vSphere Native Key Provider. Note that there may be some additional encryption privileges that might be required that I am not yet aware of. Our engineering team are currently validating the encryption privileges so that they will be automatically added to the DSM Admin in a future release.

Summary

Here is the full list of requirements for deploying encrypted databases from DSM 2.1.

    • vCenter 8.0.3, build 24091160
    • VMware ESXi, 8.0.3, 24022510
    • Data Services Manager version 2.1 (but should work with earlier versions too)
    • Native Key Provider enabled on vSphere
    • Host Encryption Mode is enabled in the Security Profile of the ESXi hosts
    • Storage Policy using both vSAN and Encryption provided by Native KP
    • Additional Cryptographic Operation privileges assigned to DSM Admin Role

If you have a requirement to deploy encrypted PostgreSQL or MySQL databases, then DSM can meet those needs.