Virtual Machine Encryption Objective: Register a KMS with vCenter Server and

encrypt a virtual machine

In this lab, you perform the following tasks: 1 . Verify Access to the Key Management Server 2 . Register the KMS with vCenter Server 3. Create an Encryption Storage Policy 4. Encrypt a Virtual Machine

5. Check vCenter Server Events

6. Use Encrypted vSphere vMotion to Migrate Virtual Machines

Task 1 : Verify Access to the Key Management Server

You verify that you can access the key management server (KMS).

The KMS used in this lab is a simple Python-based key server that keeps keys while the KMS is running. 1 . Use MTPuTTY to log in to vCenter Server Appliance.

a. On the taskbar, click the MT PuT T Y icon.

b. In the left pane, double-click SA-VCSA-0 1.

You are logged in to vCenter Server Appliance as user root.

2. Ping sa-keyserver-0 1 , the key management server. a. At the command prompt, enter shell.

b. At the shell command prompt, ping the key management server.

p ing sa- k e y s e rve r - 0 1

c. Verify that the ping is successful.

d. Press Ctrl+C to end the ping command.

3. Exit the MTPuTTY session and close the MTPuTTY window. Task 2: Register the KMS with vCenter Server

You register the KMS with vCenter Server, and you mark the KMS cluster as the default. 1 . Point to the Home icon and select Hosts and Clusters.

2 . At the top of the left pane, select sa-vcsa-01.vclass.local.

3 . In the center pane, click the Configure tab and click Key Management Servers on the left. 4. Click Add KMS .

.J sa-vcsa-01.vclass.local eJ �

@

Getting SL S u m m a ry M o n itor Configure P e rm i s s i o . . . Data c e nters Hosts & (

.... Settings General

Key Management Servers

+Add KMS ... I Actions .... •- ·� �

5. In the Add KMS dialog box, enter SA KMS -Clu s ter in the Cluster name text box.

6. In the Server alias text box, enter KMSl .

7. In the Server address text box, enter 172 . 20 . 10 . 2 0 1 . 1 72.20. 1 0.20 1 is the IP address o f the KMS .

8 . In the Server port text box, enter 5 6 9 6 .

9. Leave the rest of the text boxes blank and click OK.

1 0 . When prompted to set the default KMS cluster, click Yes. 1 1 . When the trust certificate window appears, click Trust.

1 2 . Verify that the KMS appears in the list and that the KMS cluster that you created is marked as the default cluster.

Task 3: Create an Encryption Storage Pol icy

You create a virtual machine storage policy that includes only the encryption common rule. Although a prebuilt policy called VM Encryption Policy is available, you should understand how the policy is created.

1 . Point to the Home icon and select Policies and Profiles.

2 . In the Navigator pane, select VM Storage Policies.

3 . In the center pane, click the Create VM Storage Policy icon.

� VM Storage Policies

Sto ra g e Pc

The Create New VM Storage Policy wizard appears.

4. On the Name and description page, enter SA Encryption Policy in the Name text box and click Next.

5. On the Policy structure page, click Next.

6. On the Common rules page, select the Use common rules in the VM storage policy check box.

7. Click Add component and select Encryption > Custom.

The custom properties show that the provider is VMware VM Encryption and that I/O filters are not allowed before encryption.

8. Click Next.

9. On the Rule-set 1 page, deselect the Use rule-sets in the storage policy check box and click

Next.

1 0 . On the Storage compatibility page, review the compatible storage.

All storage is compatible with the encryption filter because the filter is applied as a common rule, so the filter is storage agnostic.

1 1 . Click Next.

1 2 . On the Ready to complete page, click Finish.

1 3 . Verify that your encryption policy appears in the storage policies list.

Task 4: Encrypt a Vi rtual Machine You encrypt a virtual machine.

1 . Point to the Home icon and select Hosts and Clusters.

2. In the left pane, right-click VMOl and select VM Policies> Edit VM Storage Policies.

3. In the Edit VM Storage Policies dialog box, select SA Encryption Policy from the VM storage policy drop-down menu.

4. Click Apply to all and click OK.

5. In the Recent Tasks pane, monitor the task to completion. 6. Verify that the virtual machine is encrypted.

a. In the left pane, select VMO l.

b. In the center pane, click the Summary tab. c. Expand the VM Hardware panel.

The panel states that the virtual machine configuration files and the hard disk are encrypted.

Task 5: Check vCenter Server Events You view vCenter Server cryptographic events.

1 . At the top of the left pane, select sa-vcsa-01. vclass.local. 2. In the center pane, click the Monitor tab.

3 . Click Tasks & Events and click Events on the left.

4. In the filter box, enter crypto and press Enter.

5. Select the cryptographic operation that was performed when the virtual machine was encrypted. The cryptographic operation is recorded along with the user that initiated the task.

Task 6: Use Encrypted vSphere vMotion to Migrate Virtual Machi nes

You use encrypted vSphere vMotion to migrate VMO l (the encrypted virtual machine) and VM02 (an unencrypted virtual machine) to a different host.

1 . View the vSphere vMotion encryption state on VMO l .

a. In the left pane, right-click VMO l and select Edit Settings. b. Click the VM Options tab.

c. Expand the Encryption panel.

Because VMO 1 is encrypted, the Encrypted vMotion state is always Required and cannot be changed.

d. Click Cancel.

2 . View the vSphere vMotion encryption state on VM02.

a. In the left pane, right-click VM02 and select Edit Settings. b. Click the VM Options tab.

c . Expand the Encryption panel.

Because VM02 is not encrypted, the default state is Opportunistic. d. Keep the default and click Cancel.

3 . Power on VMO 1 and VM02.

4. Migrate VMO l and VM02 to sa-esxi-03.vclass.local.

a. Right-click VMOl and select Migrate.

b. On the Select the migration type page, leave Change compute resource only clicked and click Next.

c. On the Select a compute resource page, click sa-esxi-03.vclass.local and click Next. d. On the Select networks page, select pg-SA Management and click Next.

e . On the Select vMotion priority page, click Next.

f. On the Ready to complete page, click Finish.

g. Click the Summary tab ofVMO l and verify that VMO l is now on sa-esxi-03 .vclass .local. h. Repeat steps a through g to migrate VM02.

5. View the hot migration events that occurred.

a. At the top of the left pane, select sa-vcsa-01.vclass.local. b. In the center pane, click the Monitor tab.

c. Click Tasks & Events and click Events on the left. d. In the filter box, enter encryption.

You should see two events that begin with "Hot migrating VM02" and "Hot migrating VMO l . "

e . Select each of these events and view the description.

The description mentions that a hot migration was performed with encryption.