VMware vSphere 6.5 Security Questions

Been to many customers and have many questions on how our vSphere 6.5 Security enhancement does and how different is it from others.

So to clear some of the questions and also the articles that are available below will provide more details.

A good place to start is read up this VMware blog post by Mike Foley.  This post detail the new UEFI for ESXi and for VMs and on VM Encryption.  Let us break down some questions that are asked often or unclear:

1) Does all OSes support UEFI?
Modern versions of OS like Microsoft Windows 2012, RedHat 5 and Suse Linux Enterprise 11 SP2 and above .  Unless we are talking about older OS that are dependent on BIOS.

2) Who provide the UEFI firmware?
The hardware server vendors that allows OS or hypervisor to be installed on to be boot from.  Hypervisor or virtualization software vendor that allows running of virtual machine to boot from.

3) How can we prevent BIOs, hypervisor and OS been compromise?
The use of UEFI is to ensure digital signature are in placed and verified.  In such, any attempt to modify these, will not be accepted in by ESXi or OS.  So caveat here is all drivers or files need to have digital certificates and not unknown.  This is very common when you try to install certain drivers especially in Windows, and you can just choose Ignore.  With UEFI boot, it cannot be done anymore.  For ESXi, upon Secure UEFI boot, it will fail to boot if any digital certificate is compromise.  So installing an unknown driver even if you ever manage to force it in, will require a reboot and that reboot will fail to boot.  What you will see is PSOD (Purple Screen of Death).

4) Are certificates provided by VMware?
No.  VMware been eco-partners system friendly, has always been leveraging on customers' investment.  Using VM Encryption requires using existing KMS that is support KMIP 1.1.  Which is good since VMware isn't really a security company with IP that are in that field.  It's better to have the expert do the work.

5) Does it encrypt only the data disk or the OS?
VM encryption been the first release is very well thought.  It encrypts the VM as a whole.  Using powerCLI as stated here, you can have even more control and granularity.  You can choose to encrypt one VMDK but not the other.  Or just the VM files not the VMDKs.  You can also enable CryptoSafe mode on ESXi even though you are not having any VM encryption so to have core dumps been encrypted.

6) Is there an agent and only support certain OS?
No agent is required and this is OS dependent and OS will not be aware since vSphere is doing VM encryption and not OS encryption.  In fact, any OS that is supported by vSphere can be encrypted.  How cool is that?  However, you can still leverage on partners like SafeNet, Hytrust, CloudLink, etc. to do OS encryption within the VM to further secure your data.

7) Can we use physical TPM on ESXi?
Yes, you can use TPM on vSphere but that is just securing the boot up process of ESXi.  Currently ESXi only support up to TPM 1.2.  Comparing to UEFI, the different here is TPM is not backward compatible.  So you will need to make sure all your server hardware support the same TPM version. Not a very good idea isn't it?

8) Does vSphere support virtual TPM?
No. vSphere 6.5 does not have a virtual TPM feature.  As similar to the above, this will encounter a dependency on something e.g. Host Guardian Service Infrastructure for Hyper-V 2016.  vSphere uses Secure UEFI where no such setup requirement is needed.  To change new HGS require some effort with caveats, refer to this article.

9) How easy is it if I need to change the KMS?
Do read the article on PowerCLI, VM encryption allows you to change KMS easily without having to decrypt the whole VM and encrypt again.  This is the fact that the Key Encryption Key (KEK) from KMS is used to encrypt the Data Encryption Key (DEK), in the process of changing, all you need is to decrypt the DEK and encrypt with the new KEK from new KMS.

10) Can we use more than one KMS if we have different workload or requirements?
Yes.  As stated in the PowerCLI post, you can even have different VMDK using different KMS in the same VM!  The control is in your hands.

11) What kind of performance are we talking about on VM encryption?
Refer to this whitepaper.   VM Encryption is leveraging the latest Intel processor technology, AES-NI to accelerate in enabling the encryption process.   The keys generated on ESXi are XTS-AES-256 keys.

12) Can vSphere support disable of TLS 1.0?
Yes.  In vSphere 6.5, there is a TLS Reconfiguration Utility.  By default, vSphere comes with TLS 1.0, 1.1 and 1.2 enabled.  With this tool, you can disable TLS 1.0.  Then you will ask what about vSphere 6.0?  Well in vSphere 6.0 Update 3, the tool is already released.

13) What is the limitation for VM security thus far?
vSphere Replication as of today is still not supported.  So implementing any VM that is on Encryption cannot leverage on vSphere Replication.  This is true for within the cluster or across to another vCenter cluster.
Certain VM files like VMX is not completely encrypted as there are still solution on the market which are not using vSphere API to call for information but read directly from VMX file.  Encrypting it will make these solution breaks.

If you have more questions, do post them in the comments so I can answer that in my best effort.

Comments

Popular posts from this blog

Why VMware or Why Not after Broadcom?

VMware by Broadcom, A New Chapter Forward

VMware vExpert 2024 Application is Now Open!