In the previous post in this series, we looked at Virtualization-based Security and how it may benefit virtualized Domain Controllers. However, VMware vSphere 6.5 and newer versions of vSphere, offer one more feature to virtualized Domain Controllers that you might want to look into from both an Active Directory as a Virtualization Platform management point of view: VM Encryption.
About VM Encryption
VM Encryption is a security mechanism that allows certain virtual machines to run on trusted hosts only. Trusted hosts are defined through encryption keys obtained from a KMIP 1.1-compliant Key Management Server (KMS) through manually enrolled vCenter Servers.
Two types of keys are used for encryption.
- A vCenter Server requests keys from the KMS. These keys are used as the key encryption key (KEK) and are AES-256 keys. vCenter Server stores only the ID of each KEK, but not the key itself.
- ESXi uses the KEK to encrypt the internal keys. These keys are used as data encryption keys (DEKs) and are XTS-AES-256 keys. ESXi stores the encrypted internal keys on disk. ESXi does not store the KEK on disk.
If a host reboots, vCenter Server requests the KEK with the corresponding ID from the KMS and makes it available to ESXi. ESXi can then decrypt the internal keys as needed.
VM Encryption encrypts the VM configuration files. The virtual machine gains access to the configuration files when it boots through the KEK, if it’s running on a trusted ESXi host. The ESXi host gains access to the KEK through the DEK that it requests from the vCenter Server. It is only able to do this, if vCenter Server grants it access.
If a virtual machine cannot read its configuration files, it won’t be able to power on.
You cannot associate an encrypted virtual disk with a virtual machine that is not encrypted.
Benefits of using VM Encryption
The benefits of using VM Encryption for virtual Domain Controllers are threefold:
- The virtualized Domain Controllers that are protected with VM Encryption are only able to run on trusted hosts.
- The virtual disks of the virtualized Domain Controllers that are protected with VM Encryption cannot be reused as disks for another virtual machine.
- Only administrators that have the highest permissions in vSphere are able to manage and access the virtualized Domain Controllers that are protected with VM Encryption.
Basically, VM Encryption delivers on the promise of virtualization, without the need to worry about VMDKs getting stolen.
The Key Management Server (KMS) itself can be an on-premises virtual machine, but it can also be a hosted highly-available service off-premises
VM encryption and DC Cloning
Virtualized Domain Controllers that are protected with VM Encryption can be cloned towards Domain Controller cloning. The clone inherits the parent encryption state including keys. You can encrypt the full clone, re-encrypt the full clone to use new keys, or decrypt the full clone. However, for Domain Controller clones, it’s fastest to perform a shallow re-encrypt while the virtual machine is powered on.
Drawbacks and non-benefits of using VM Encryption
VM Encryption does not necessarily entail encryption of the virtual disk. VM Encryption does not automatically enable BitLocker Drive Encryption, either.
Backend storage features such as deduplication and compression might not be effective for encrypted virtual machines.
Not all backup solutions that use VMware vSphere Storage API – Data Protection (VADP) for virtual disk backup are supported, because VADP SAN backup solutions are not supported with encrypted virtual machines. Backup solutions that take backups from within the virtual machine, like Veeam’s Agent for Windows, will be able to make unencrypted backups. These backups of encrypted Domain Controllers should be stored with the same level of information security measures as the Domain Controllers themselves.
To use the VM Encryption functionality, you’ll need to meet the following requirements:
- At least one ESXi host running VMware vSphere 6.5, or up
- vCenter Server version 6.5, or up, managing the ESXi host(s) above
- A KMIP 1.1-compliant Key Management Server (KMS) like Hytrust’s KeyControl
Configuring VM Encryption
Configuring VM Encryption for virtualized Domain Controllers consists of the following steps:
- Enabling Hytrust KeyControl;s KMIP Service
- Creating a Certificate Signing Request from vSphere
- Creating a user certificate for VM Encryption
- Establishing the trust between the KMS and vCenter
Enabling Hytrust KeyControl’s KMIP Service
First, we need to make sure Hytrust KeyControl acts as the Key Management Interoperability Protocol (KMIP) 1.1-compliant Key Management Server that we need. Perform the following steps:
- Sign in to the Hytrust KeyControl web console with an account that has Security Admin privileges (the secroot account has these permissions, by default).
- Click on KMIP in the top navigation bar.
- Click the State drop-down box and change it to ENABLED.
- Click the Protocol drop-down box and change it to Version 1.1.
- Save the settings by clicking the Apply button at the bottom of the screen.
A modal screen appears asking to Overwrite all existing KMIP Server settings?
- Click the Proceed button in the modal screen.
You will notice a new alert confirming the KMIP server is now started.
Creating a Certificate Signing Request from vSphere
To build a certificate trust relationship, we’ll start with creating a certificate signing request (CSR) from vSphere. That way, when we create the certificate at the Key Management Server, we can use the information in the CSR to populate the values. Perform these steps:
For this walkthrough, vCenter 6.7 was used.
- Start the vSphere Web Client and sign in with an account that has administrator permissions.
- In the left navigation pane, select the vCenter Server (Appliance)
- In the main pane, from the tabs, click the Configure tab.
- In the main pane, in the navigation menu, select the Key Management Servers node.
- Click ADD.
The Add Key Management Server modal screen appears.
- Specify to create a new cluster or to add the KMS host to an existing cluster.
- Specify the name, address and port of the KMS Server.
- Click the OK button at the bottom of the modal screen to add the server and close the modal screen.
The Make vCenter Trust KMS modal screen appears.
- Click the Trust button to trust the certificate of the Key Management Server and close the modal screen.
The KMS host is now added to the list of Key Management Servers in vCenter. You can see it in the main pane, but in the Connection Status column, it will issue a warning Not connected (trust not established).
- In the main pane, select the Key Management Server from the list.
- Click ESTABLISH TRUST and then select Make KMS
Trust vCenter from the context menu.
- The Make KMS trust vCenter modal screen appears.
- On the Choose a method screen, select the New Certificate Signing Request (CSR) option to submit a vCenter-generated CSR to the KMS then upload the new KMS-signed certificate to vCenter.
- Click the Next button.
- On the Submit CSR to KMS screen, click the DOWNLOAD button at the bottom of the certificate request to download it as a *.pem file.
- Click the DONE button.
Creating a user certificate for VM Encryption
For the connection between the vCenter Server and the Hytrust KeyControl implementation, we’ll create a new user certificate in the following steps, while still sign in to the Hytrust KeyControl web console:
- In the Hytrust KeyControl web console, while still in the KMIP section of the console, switch to the Client Certificates tab.
- From the Actions menu, choose the Create Certificate option.
The Create a New Client Certificate modal screen appears.
- Provide a meaningful certificate name, for instance the name of the vCenter Server.
- Specify the previously downloaded certificate signing request (CSR) as the CSR.
- Provide a password for the client certificate twice.
- Click the Create button at the bottom of the modal screen to create the client certificate and close the modal screen.
- Select the newly created certificate in the main pane.
- Click Actions again. This time, select Download Certificate from the menu.
You now download a client certificate in *.pem format in a zip file. Be sure to extract the certificates from the *.zip file before you continue.
Establishing the trust between the KMS and vCenter
Now, we can create the connection between the KMS and vCenter. Perform these steps to do so:
- Switch back to the vSphere Web Client.
It should still be at the Key Management Servers part of the Configuration of the vCenter Server. If not, navigate back to it.
- Select the KMS Host from the list of Key Management Servers.
- In the main pane, select the Key Management Server from the list.
- Click ESTABLISH TRUST and then select Make vCenter Trust KMS from the context menu.
- Click the Trust button at the bottom of the modal screen.
- Click ESTABLISH TRUST again. This time select Upload Signed CSR Certificate from the context menu.
The Upload Signed CSR Certificate modal screen opens.
- Click the UPLOAD A FILE button.
- Select the *.pem file you downloaded from the Hytrust KeyControl implementation and click Open.
- Click the UPLOAD button at the bottom of the Upload Signed CSR Certificate modal screen to use this certificate and close the modal screen.
The Key Management Server should now show the Connected status in the Connection Status column.
Repeat the above steps for every Key Management Server of a possible highly-available KMS cluster have been configured and trusted.
Encrypting a new virtual machine
The last step towards encrypted Domain Controllers is to create Domain Controllers as encrypted virtual machines. In the vSphere Web Client, take care of the following setting:
On the Select storage page of the New Virtual Machine wizard, select the Encrypt this virtual machine option.
Specify any other settings, for instance the right settings for Virtualization-based Security for the virtual machine, too.
VM Encryption provides the level of assurance that Active Directory admins need from the virtualization platform that their virtualized Domain Controllers cannot be run outside of the trusted vCenter scope.