vSAN and Data-At-Rest Encryption – Why SED’s are not Supported (i.e. Part 3)

I first wrote about vSAN and Encryption here: Virtual SAN and Data-At-Rest Encryption

And then again here: vSAN and Data-At-Rest Encryption – Rebooted (i.e. Part 2)

And then vSAN Encryption went live in vSAN 6.6 announced here: vSAN 6.6 – Native Data-at-Rest Encryption

Today I was asked if vSAN supports Self Encrypting Drives (SED). The answer is No. The vSAN product team looked at SEDs but there are too few choices, they are too expensive, and they increase the operational burden.

vSAN only supports vSAN Encryption, VM Encryption, or other 3rd party VM encryption solutions like HyTrust DataControl.

vSAN is Software Defined Storage so the product team decided to focus on software-based encryption to allow vSAN to support data at rest encryption (D@RE) on any storage device that exists today or will come in the future. When vSAN went live supporting Intel Optane, this new flash device was immediately capable of D@RE. The vSAN Encryption operational model is simple. Just click a check box to enable it on the vSAN datastore and point to a Key Management Server. One encryption key to manage for the entire vSAN datastore. The additional benefits of vSAN Encryption is that it supports vSAN Dedupe and Compression and vSAN 6.7 encryption has achieved FIPS 140-2 validation.

Another choice is to leverage VMware’s VM Encryption described here: What’s new in vSphere 6.5: Security
This is per VM encryption, so you point vCenter to a Key Management Server and then enable encryption per VM via policy. This flexibility allows some VM’s to be encrypted and some not to be. And, if the VM is migrated to another vSphere cluster or to VMware Cloud on AWS, the encryption and key management follows the VM. This requires the administrator to manage a key per VM, and because the encryption happens immediately as the write leaves the VM and goes through the VAIO filter, no storage system will be able to dedupe the VM’s data since each block is unique.

Finally, there are various 3rd party per VM encryption solutions on the market that vSAN would also support. For instance, HyTrust Datacontrol.

I hope this helps clear up what options there are for vSAN encryption and the various tradeoffs.

Advertisements

VMworld Hands-on-Labs – 9,640 Labs Were delivered by vSAN

The Hands-on-Labs (HoL) at VMworld are always a big hit. A ton of work goes into putting them on and supporting them and everyone seems to love them. This was a big year for vSAN in the HoL. At VMworld Las Vegas, 11,444 labs were completed and the vSAN lab, HOL-1808-01-HCI – vSAN 6.6, was the #2 overall lab completed. Our NSX friends held the #1 spot.

The HoL’s were delivered from 5 different data centers. Each handled approximately 20% of the workloads. vSAN was the storage in 4 of the data centers. 2 of the 4 were VMware data centers running vSphere, NSX, and vSAN for software defined compute, network and storage. Another was IBM BlueMix (SoftLayer) built with VMware Cloud Foundation (vSphere, NSX, vSAN, and SDDC Manager). And the other was VMware Cloud on ASW also built with VMware Cloud Foundation (vSphere, NSX, vSAN, and SDDC Manager). The 5th data center was another VMware data center running traditional storage. This is a great Hybrid Cloud / Multi Cloud example leveraging 3 of our own datacenters and 2 of the largest public cloud data centers offering Infrastructure as a Service (Iaas).

 

VMware Cross Cloud Architecture

 

9,640 of the HoL’s were deployed across the 4 vSAN data centers. This represents 84% of the labs delivered at VMworld US were delivered by vSAN. To support the HoL’s, over 90,000 VM’s were provisioned in just 5 days. Actually, more than that since extra HoL’s are pre-provision that don’t all get used. This is a huge win for HCI and vSAN as it performed like a champ for this heavy workload.

These stats are too impressive not to share and they are a great testament to all the people that make it happen.

 

 

 

 

 

vSAN and Data-At-Rest Encryption – Rebooted (i.e. Part 2)

 

Encryption is here, now shipping with vSphere 6.5.

I first wrote about vSAN and Encryption here:

Virtual SAN and Data-At-Rest Encryption – https://livevirtually.net/2015/10/21/virtual-san-and-data-at-rest-encryption/

At the time, I knew what was coming but couldn’t say. Also, the vSAN team had plans that changed. So, let’s set the record straight.

vSAN

  • Does not support Self Encrypting Drives (SEDs) with encryption enabled.
  • Does not support controller based encryption.
  • Supports 3rd party software based encryption solutions like HyTrust DataControl and Dell EMC Cloud Link.
  • Supports the VMware VM Encryption released with vSphere 6.5
  • Will support its own VMware vSAN Encryption in a future release.

At VMworld 2016 in Barcelona VMware announced vSphere 6.5 and with it, VM Encryption. In the past, VMware relied on 3rd party encryption solutions, but now, VMware has its own. For more details, check out:

What’s new in vSphere 6.5: Security – https://blogs.vmware.com/vsphere/2016/10/whats-new-in-vsphere-6-5-security.html

In this, Mike Foley briefly highlights a few advantages of VM Encryption. Stay tuned for more from him on this topic.

In addition to what Mike highlighted, VM encryption is implemented using VAIO Filters, can be enabled per VM object (vmdk), will encrypt VM data no matter what storage solution is implemented (e.g. object, file, block using vendors like VMware vSAN, Dell Technologies, NetApp, IBM, HDS, etc.), and satisfies data-in-flight and data-at-rest encryption. The solution does not require SED’s so it works with all the commodity HDD, SSD, PCIe, and NVMe devices and integrates with several third party Key Management solutions. Since VM Encryption is set via policy, that policy could extended across to public clouds like Cloud Foundation on IBM SoftLayer, VMware Cloud on AWS, VMware vCloud Air or to any vCloud Air Network partner. This is great because your VM’s could live in the cloud but you will own and control the encryption keys. And you can use different keys for different VM’s.

At VMworld 2016 in Las Vegas VMware announced the upcoming vSAN Beta. For more details see:

Virtual SAN Beta – Register Today! – https://blogs.vmware.com/virtualblocks/2016/09/07/virtual-san-beta-register-today/

This vSAN Beta includes vSAN encryption targeted for a future release of vSphere. vSAN Encryption will satisfy data-at-rest encryption. You might ask why vSAN Encryption would be necessary if vSphere has VM Encryption? I will say that you should always look to use VM Encryption first. The one downside to VM Encryption is that since the VM’s data is encrypted as soon as it leaves the VM and hits the ESXi kernel, each block is unique, so no matter what storage system that data goes to (e.g. VMware vSAN, Dell Technologies, NetApp, IBM, HDS, etc.) that block can’t be deduped or compressed. The benefit of vSAN encryption will be that the encryption will be done at the vSAN level. Data will be send to the vSAN cache and encrypted at that tier. When it is later destaged, it will be decrypted, deduped, compressed, and encrypted when its written to the capacity tier. This satisfies the data-at-rest encryption requirements but not data-in-flight. It does allow you to take advantage of the vSAN dedupe and compression data services and it’s one key for the entire vSAN datastore.

It should be noted that both solutions will require a 3rd party Key Management Server (KMS) and the same one can be used for both VM Encryption and vSAN Encryption. The KMS must support the Key Management Interoperability Protocol (KMIP) 1.1 standard. There are many that do and VMware has tested a lot of them. We’ll soon be publishing a list, but for now, check with your KMS vendor or your VMware SE for details.

VMware is all about customer choice. So, we offer a number of software based encryption options depending on your requirements.

It’s worth restating that VM Encryption should be the standard for software based encryption for VM’s. After reviewing vSAN Encryption, some may choose it instead to go with vSAN encryption if they want to take advantage of deduplication and compression. Duncan Epping provides a little more detail here:

The difference between VM Encryption in vSphere 6.5 and vSAN encryption – http://www.yellow-bricks.com/2016/11/07/the-difference-between-vm-encryption-in-vsphere-6-5-and-vsan-encryption/

 

In summary:

  1. Use VM Encryption for Hybrid vSAN clusters
  2. Use VM Encryption on All-Flash if storage efficiency (dedupe/compression) is not critical
  3. Wait for vSAN native software data at rest encryption if you must have dedupe/compression on All-Flash

 

Correlating vSAN versions with vSphere (vCenter & ESXi) Versions

I often get asked if a certain version of vSAN can be deployed on a different version of vSphere. The answer is no. vSAN is built into the vSphere version. That means vCenter needs to be upgraded to the correct version of vCenter and all the hosts in the cluster need to be upgraded to the correct version of ESXi in order to get the features of that version of vSAN. Lastly, vSAN formats each disk drive with an on-disk format, so to get the full features of a specific release, you may need to update the on-disk format.

Here’s basically how everything breaks down:

  • If you have vSphere 5.5 (vCenter Server 5.0 & ESXi 5.0) then you have vSAN 5.5.
  • If you have vSphere 6.0 (vCenter Server 6.0 & ESXi 6.0) then you have vSAN 6.0.
  • If you have vSphere 6.0 U1 (vCenter Server 6.0 Update 2 & ESXi 6.0 Update 1) then you have vSAN 6.1.
  • If you have vSphere 6.0 U2 (vCenter Server 6.0 Update 2 & ESXi 6.0 Update 2) then you have vSAN 6.2.
  • If you have vSphere 6.5 (vCenter Server 6.5 & ESXi 6.5) then you have vSAN 6.5.
  • If you have vSphere 6.5.0d (vCenter Server 6.5.0d & ESXi 6.5.0d) then you have vSAN 6.6.
  • If you have vSphere 6.5 Update 1 (vCenter Server 6.5 Update 1 & ESXi 6.5 Update 1) then you have vSAN 6.6.1.
  • If you have vSphere 6.7 (vCenter Server 6.7 & ESXi 6.7) then you have vSAN 6.7

Here’s a more detailed matrix:

Version Release

Date

Build

Number

Installer Build Number vSAN Version vSAN

On-Disk Format

(Web Client)

ESXi 6.5 U2 2018-05-03 8294253 N/A 6.6.1 U2 5
ESXi 6.7 GA 2018-04-17 8169922 N/A 6.7 GA 6
ESXi 6.6.1 Patch 02 2017-12-19 7388607 N/A 6.6.1 Patch 02 5
ESXi 6.5 Express Patch 4 2017-10-05 6765664 N/A 6.6.1 Express Patch 4 5
ESXi 6.5 Update 1 2017-07-27 5969303 N/A 6.6.1 5
ESXi 6.5.0d 2017-04-18 5310538 N/A 6.6 5
ESXi 6.5. Express Patch 1a 2017-03-28 5224529 N/A 6.5 Express Patch 1a 3
ESXi 6.5. Patch 01 2017-03-09 5146846 5146843 6.5 Patch 01 3
ESXi 6.5.0a 2017-02-02 4887370 N/A 6.5.0a 3
ESXi 6.5 GA 2016-11-15 4564106 N/A 6.5 3
ESXi 6.0 Patch 7 2018-07-26 9239799 N/A 6.2 Patch 7 3
ESXi 6.0 Patch 6 2017-11-09 6921384 N/A 6.2 Patch 6 3
ESXi 6.0 Express Patch 11 2017-10-05 6765062 N/A 6.2 Express Patch 11 3
ESXi 6.0 Patch 5 2017-06-06 5572656 N/A 6.2 Patch 5 3
ESXi 6.0 Express Patch 7c 2017-03-28 5251623 N/A 6.2 Express Patch 7c 3
ESXi 6.0 Express Patch 7a 2017-03-28 5224934 N/A 6.2 Express Patch 7a 3
ESXi 6.0 Update 3 2017-02-24 5050593 N/A 6.2 Update 3 3
ESXi 6.0 Patch 4 2016-11-22 4600944 N/A 6.2 Patch 4 3
ESXi 6.0 Express Patch 7 2016-10-17 4510822 N/A 6.2 Express Patch 7 3
ESXi 6.0 Patch 3 2016-08-04 4192238 N/A 6.2 Patch 3 3
ESXi 6.0 Express Patch 6 2016-05-12 3825889 N/A 6.2 Express Patch 6 3
ESXi 6.0 Update 2 2016-03-16 3620759 N/A 6.2 3
ESXi 6.0 Express Patch 5 2016-02-23 3568940 N/A 6.1 Express Patch 5 2
ESXi 6.0 Update 1b 2016-01-07 3380124 N/A 6.1 Update 1b 2
ESXi 6.0 Express Patch 4 2015-11-25 3247720 N/A 6.1 Express Patch 4 2
ESXi 6.0 U1a (Express Patch 3) 2015-10-06 3073146 N/A 6.1 U1a (Express Patch 3) 2
ESXi 6.0 U1 2015-09-10 3029758 N/A 6.1 2
ESXi 6.0.0b 2015-07-07 2809209 N/A 6.0.0b 2
ESXi 6.0 Express Patch 2 2015-05-14 2715440 N/A 6.0 Express Patch 2 2
ESXi 6.0 Express Patch 1 2015-04-09 2615704 2615979 6.0 Express Patch 1 2
ESXi 6.0 GA 2015-03-12 2494585 N/A 6.0 2
ESXi 5.5 Patch 10 2016-12-20 4722766 4761836 5.5 Patch 10 1
ESXi 5.5 Patch 9 2016-09-15 4345813 4362114 5.5 Patch 9 1
ESXi 5.5 Patch 8 2016-08-04 4179633 N/A 5.5 Patch 8 1
ESXi 5.5 Express Patch 10 2016-02-22 3568722 N/A 5.5 Express Patch 10 1
ESXi 5.5 Express Patch 9 2016-01-04 3343343 N/A 5.5 Express Patch 9 1
ESXi 5.5 Update 3b 2015-12-08 3248547 N/A 5.5 Update 3b 1
ESXi 5.5 Update 3a 2015-10-06 3116895 N/A 5.5 Update 3a 1
ESXi 5.5 Update 3 2015-09-16 3029944 N/A 5.5 Update 3 1
ESXi 5.5 Patch 5 re-release 2015-05-08 2718055 N/A 5.5 Patch 5 re-release 1
ESXi 5.5 Express Patch 7 2015-04-07 2638301 N/A 5.5 Express Patch 7 1
ESXi 5.5 Express Patch 6 2015-02-05 2456374 N/A 5.5 Express Patch 6 1
ESXi 5.5 Patch 4 2015-01-27 2403361 N/A 5.5 Patch 4 1
ESXi 5.5 Express Patch 5 2014-12-02 2302651 N/A 5.5 Express Patch 5 1
ESXi 5.5 Patch 3 2014-10-15 2143827 N/A 5.5 Patch 3 1
ESXi 5.5 Update 2 2014-09-09 2068190 N/A 5.5 Update 2 1
ESXi 5.5 Patch 2 2014-07-01 1892794 N/A 5.5 Patch 2 1
ESXi 5.5 Express Patch 4 2014-06-11 1881737 N/A 5.5 Express Patch 4 1
ESXi 5.5 Update 1a 2014-04-19 1746018 N/A 5.5 Update 1a 1
ESXi 5.5 Express Patch 3 2014-04-19 1746974 N/A 5.5 Express Patch 3 1
ESXi 5.5 Update 1 2014-03-11 1623387 N/A 5.5 Update 1 1
ESXi 5.5 Patch 1 2013-12-22 1474528 N/A 5.5 Patch 1 1
ESXi 5.5 GA 2013-09-22 1331820 N/A 5.5 1

As a reference, see:

Build numbers and versions of VMware vSAN (2150753) – This is a new KB post that went up on July 31, 2017 which provides the same information as above.

Build numbers and versions of VMware vCenter Server (2143838)

Build numbers and versions of VMware ESXi/ESX (2143832)

Understanding vSAN on-disk format versions (2145267)

 

 

 

 

 

Webcast Virtual SAN Sizing and Design

Here are VMware Online Event Webcasts that I was a part of. The focus is on the hardware options for where you can run Virtual SAN and how to size and design. We don’t go too deep, but there is some useful info here. Check them out here: