Without the Encrypt Privilege
When I initially tried to do this operation, I ran into the following issues. First issue was that, because DSM did not have the privileges to do an encrypt operation, the base OS disk of the database was left unencrypted. This meant that it was not possible to encrypt any additional volumes for use by the database itself:
I thought I would be clever, as it seems like the storage policy was reverting back to the default storage policy when it could not use the encrypted storage policy. So I set the default policy on the datastore to use encryption and retried. This is when I ran into the permissions issue:
Encrypt Privileges
Both these issues stem from the fact that the DSM Administrator role does not have the Cryptographic operations > Encrypt privilege. Let’s now give the DSM Administrator Role this additional privilege in vSphere. This is found under Administration > Roles:
Note that I have also enabled the Migrate privilege. This might be necessary if DRS kicks in and wishes to move the VM to another host. Without this privilege, it is possible that you might encounter this issue:
With these privileges added to the DSM Admin, we can proceed with deploying encrypted databases from DSM v2.1, using the vSphere Native Key Provider. Note that there may be some additional encryption privileges that might be required that I am not yet aware of. Our engineering team are currently validating the encryption privileges so that they will be automatically added to the DSM Admin in a future release.
Summary
Here is the full list of requirements for deploying encrypted databases from DSM 2.1.
-
- vCenter 8.0.3, build 24091160
- VMware ESXi, 8.0.3, 24022510
- Data Services Manager version 2.1 (but should work with earlier versions too)
- Native Key Provider enabled on vSphere
- Host Encryption Mode is enabled in the Security Profile of the ESXi hosts
- Storage Policy using both vSAN and Encryption provided by Native KP
- Additional Cryptographic Operation privileges assigned to DSM Admin Role
If you have a requirement to deploy encrypted PostgreSQL or MySQL databases, then DSM can meet those needs.