September 11, 2023

Security improvements for vSAN 8 U2

Continuous security improvements

Data-at-rest encryption was introduced in vSAN 6.6 making it the industry’s first native HCI security solution. vSphere 6.7 and vSAN 6.7 cryptographic modules achieved FIPS 140-2 validation by the National Institute of Standards and Technology (NIST), which specifies the security requirements for cryptographic modules. vSphere with vSAN is the only HCI solution with multiple generations of DoD-published Security Technical Implementation Guides (STIGs) for rigorous, standards-compliant implementation hardening. vSAN 7 Update 1 further improved its security stance by adding data-in-transit encryption. With vSphere 7 Update 2 vSAN introduced support for the vSphere Native Key Provider to simplify the safe and secure storage of encryption keys. Today, vSAN is being used by a wide variety of organizations to protect data and ensure compliance with regulatory requirements.

Improved Security Through Enhanced Key Management

As the security capabilities of an infrastructure continue to become more sophisticated, vSAN continues to adapt to support these new capabilities. To this end, vSAN 8 U2 will support the use of KMS servers that use a “key expiration” attribute for assigning an expiration date to a Key Encryption Key (KEK). An integration with Skyline Health for vSAN will trigger a health finding report as KEK expirations approach, making management simple. At 30 days this health check will issue a warning, and at 10 days it will switch to critical. The health check will prompt the administrator to perform a shallow re-key operation to extend the expiration time.


Deep Re-key Operations

Work has been done with vSAN 8 Update 2 to bring full feature parity with the vSAN Origional Storage Architecture. To help close the remaining gaps vSAN ESA8 Update 2 now supports Deep Rekey operations.


VMware Cloud Foundation built on HCI with vSAN continues to lead the industry with security that is native to vSAN and vSphere. vSAN 8 Update 2 introduces data-in-transit encryption key expiry support. This allows important compliance requirements to be met for specific regulatory requirements. In addition full feature parity for rekey operations is now supported for both vSAN ESA nad OSA. Learn more about simplifying and strengthening your environment using infrastructure to secure any app, any cloud, any device.

Filter Tags

Storage vSAN 8 Blog What's New Overview Intermediate Design Manage Optimize