Encrypting Data Service Manager databases with vSphere Native Key Provider

Following on from last weeks post on encrypting Kubernetes Persistent Volumes, I now wanted to see if I could use the vSphere Native Key Provider to encrypt databases provisioned by Data Services Manager version 2.1. The good news is that this is indeed possible, but we need to make some changes to the DSM Administrator Role’s privileges to enable it to perform encryption operations. Of course, the infrastructure policy used to provision the databases must also have a storage policy that has encryption. And, as stated in the previous article, this functionality is dependent on vSphere 8.0U3. This applies to…

Kubernetes Persistent Volume (PV) Encryption with Native Key Provider in vSphere 8.0U3

Security is top of mind for most, if not all, of our customers these days. Many years ago, I wrote a blog post on how customers could encrypt Kubernetes Persistent Volumes with an external Key Provider. One of our customers recently reached out to me to ask if we had any plans to provide similar support with the Native Key Provider. As my focus has been in other areas recently, I reached out to our CSI engineering team for an update. I then found out that support was added in our most recent release, vSphere 8.0U3. While no changes we…

Encrypting Kubernetes Persistent Volumes on vSphere (Video)

In this video, we look at how to create a Storage Policy Based Management (SPBM) with the VM Encryption feature which can be used with vSphere CSI/CNS to create a Kubernetes Storage Class that encrypts Persistent Volumes. This feature is only available with the CSI 2.0 driver for native, upstream Kubernetes deployed on vSphere 7.0 (at the time of writing). You will also need to have a Key Management Server available to the vSphere host to create a policy that allows encryption. Finally, encrypted Persistent Volumes can only be attached to encrypted virtual machines, meaning that at least one of…

vSphere 7.0, Cloud Native Storage, CSI and offline volume extend

Another new feature added to the vSphere CSI driver in the vSphere 7.0 release is the ability to offline extend / grow a Kubernetes Persistent Volume (PV). This requires a special directive to be added to the StorageClass and, as per the title, the operation must be done offline whilst the PV is detached from any Pod. Let’s take a closer look at the steps involved. New CSI component – CSI Resizer To enable resizing operations, a new component has been added to the vSphere CSI Controller called csi-resizer. We can examine the csi-resizer and other components associated with the…

vSphere 7.0, Cloud Native Storage, CSI and encryption support

A common request we’ve had for the vSphere CSI (Container Storage Interface) driver is to support encryption of Kubernetes Persistent Volumes using the vSphere feature called VMcrypt. Although we’ve had VM encryption since vSphere 6.5, this was a feature that we could not support in the first version of the CSI driver that we shipped with vSphere 6.7U3. However, I’m pleased to announce that we can now support this feature with the new CSI driver shipping with vSphere 7.0. The reason we can support it in vSphere 7.0 is that First Class Disks, also known as Improved Virtual Disks, now…

New steps to use HyTrust KMIP with vSAN Encryption

I’m back in the lab this week, looking at some of the newer features around vSAN. As part of this, I needed vSAN Encryption enabled, so I downloaded the latest HyTrust KeyControl appliance as this has an easy to use KMIP Server. This new version is 4.2.1,  and it has a few new steps compared to the previous versions I used, which were a little confusing to begin with. First I deployed the OVA, supplied the password, logged into the web interface, and enabled KMIP as before. However, that is where things are now a little different to before.

Does enabling encryption on vSAN require on an-disk format change?

vSAN 6.6 shipped earlier this year. It comes with a new on-disk format to support, among other things, data at rest encryption (also known as DARE). This is version 5 of the on-disk format. I’ve been asked this question a number of times over the past week, so I thought I would quickly write a few words on whether or not enabling encryption on vSAN 6.6 requires an on-disk format change, more commonly referred to as a DFC. Now this post is not going to cover vSAN encryption in any great detail; I just want to answer this one question…