New steps to use HyTrust KMIP with vSAN Encryption

I’m back in the lab this week, looking at some of the newer features around vSAN. As part of this, I needed vSAN Encryption enabled, so I downloaded the latest HyTrust KeyControl appliance as this has an easy to use KMIP Server. This new version is 4.2.1,  and it has a few new steps compared to the previous versions I used, which were a little confusing to begin with. First I deployed the OVA, supplied the password, logged into the web interface, and enabled KMIP as before. However, that is where things are now a little different to before.

A closer look at VMware’s latest Cloud Launch

Today VMware has another cloud launch update, and this one is significant for many reasons. Our underlying goals of VMware Cloud are many. From an infrastructure perspective, the goal is to provide operational consistency no matter where the application is running, whether this is from an automation, security or governance perspective. But one thing that is often overlooked is what this operational consistency means to the developer. The goal, I feel, is to make it as simple as possible for developers to create their apps and make it as simple as possible to consume services that they might need for…

Preventing selection of certain datastores with SPBM

One of the great things about presenting at VMware User Group meetings is actually talking to customers and finding out about what their pain points are, and how  VMware can improve on our products and features. At the most recent VMUG I attended (in Poland), I was asked a question about storage policies, and if there was a way to  allow some users to use some policies, and other users to use a different policy. Unfortunately there is no permissions associated with policies at this time, so any user can select any policy. With that in mind, I had a…

Getting to grips with NFSv4.1 and Kerberos

Over the past few weeks, I’ve been looking to update some of our older white papers on core storage topics. One of the outdated papers was on NFS, and a lot had changed in this space since the paper was last updated. Most notably, was the introduction of support for NFS v41 in vSphere 6.0, along with Kerberos based authentication. In vSphere 6.5, we also added Kerberos integrity checking. I decided to have a go at configuring this in my own lab. Before going any further, I need to thank Justin Parisi of NetApp for this guidance through this setup.…

VMworld 2017 Session on vSphere 6.5 Core Storage now on YouTube

A quick note to let you know that the session that I delivered on day 1 of VMworld 2017 is now available on YouTube. The session is entitled “A Deep Dive into vSphere 6.5 Core Storage Features and Functionality” and I delivered this with Cody Hosterman of Pure Storage. Judging by the feedback, and the number of passing comments I received in the hallways at VMworld over the past 2 days, it seems that this session was very well received indeed. Hope you like it.

Deploying a new HyTrust KMS on vSphere 6.5

Many regular readers will be aware of new encryption features added recently to VMware’s portfolio, such as vSAN  data-at-reset encryption and vSphere VM encryption in vSphere 6.5. I had to return to a configuration task that I hadn’t done in a while, which was the deployment of a new Key Management Server (KMS) on my vSphere 6.5 / vSAN 6.6.1 setup. I had done this a few times before, but it has been a while and I’d forgotten what exactly I’d needed to do, so I decided to document the steps in this post for future reference. Those of you…

Does enabling encryption on vSAN require on an-disk format change?

vSAN 6.6 shipped earlier this year. It comes with a new on-disk format to support, among other things, data at rest encryption (also known as DARE). This is version 5 of the on-disk format. I’ve been asked this question a number of times over the past week, so I thought I would quickly write a few words on whether or not enabling encryption on vSAN 6.6 requires an on-disk format change, more commonly referred to as a DFC. Now this post is not going to cover vSAN encryption in any great detail; I just want to answer this one question…