Encrypt VMware Virtual Machines to Protect Machines At Rest and In Transit
One of the advantages of virtual machines (VMs) is that they are portable. Pick up a VM’s image, and you can run it on any physical server. That means anyone who has access to the VM’s image has access to its files and data.
Another time VM’s are vulnerable is when a running VM is transferred to another server. Anyone who has access to the network would have access to the VM and its data.
When using virtual machines from VMware, you can use encryption to protect your virtual machine both at rest and in transit, just like any other data you store and transmit.
Encryption in VMware
VMware now includes encryption in vSphere 6.5, making it easy to encrypt VMs without using third-party hardware or software. The encryption features protect both VMDK images and vMotion transfers of VMs. Encryption is fully managed by the hypervisor, so keys are not known to the VM and there’s no potential exploit in the guest OS.
Encrypting VMs relies on keys, so you need to have key management software before using VM encryption. Without the keys, encrypted VM files can’t be read or executed. When you encrypt your VM, the disk files, snapshots, swap files, and dumps are all protected. A few remaining configuration and log files aren’t encrypted because they aren’t sensitive or support operations that have to execute whatever the encryption status of the disks.
There is some overhead from the necessary decryption operations, but VMware reports the impact is minimal. If performance remains a concern, running it on servers that support AES-NI instructions can speed up the encryption process.
When encrypting VMs on vMotion, a random one-time key is generated and sent to the hosts involved in the vMotion process. It isn’t the network that’s protected, but the VM itself, meaning snooping isn’t a possibility. Certificates aren’t needed, and you don’t need to worry about network settings. Encrypted VMs require encrypted vMotion, but you can use encrypted vMotion even on unencrypted VMs.
Flexibly Managed Encryption
While encryption offers benefits, you may not always want to use it. vSphere allows you to control whether encryption is applied to a VM’s virtual disks and configuration files through storage policies.
You also have control over who can manage the encryption in VMware. It isn’t necessary to grant encryption privileges to every VM administrator, letting you carefully restrict this critical function.
Application and Data Security
Encrypting your virtual machines is one important step you can take to protect your confidential applications and data. The team at Prescient Solutions is certified in VMware as well as ISACA and ISC2 security policies. We bring our expertise in cybersecurity to help you leverage security tools to ensure your network, applications, and data are safe. Contact us to learn how VM encryption can be part of your information security strategy.