Key Caching support for 3rd party KMS servers
vSAN offers encryption services to help ensure the integrity of the data stored in an environment. For vSAN data-at-rest encryption, key management can occur using the vSphere Native Key Provider (NKP) or an external KMS. vSAN 7 U3 introduces full support of using Trusted Platform Modules (TPMs) on the hosts within a vSAN cluster to persist the distributed keys should there be an issue with communication to the key provider. The use of TPMs are fully supported using the vSphere NKP, or an external KMS, and is one of the best ways to build a robust, method of key distribution and storage of the keys.
Historically, encryption services such as vSAN Data-at-Rest Encryption have relied on an external KMS for key management. vSAN enabled hosts would retain these keys (Host keys, Disk Encryption Keys (DEK) and Key Encryption Keys (KEK)) in a volatile in-memory vmkernel key cache on each host in the cluster. If the host rebooted at any point, it would need to fetch a key from the external KMS, via a 3rd party KMS solution, or the vSphere Native Key Provider (NKP). In previous versions of vSAN if access to an external KMS was unavailable, such as in edge topologies that may have limited connectivity to a KMS), the host had no ability to mount the disk groups that stored encrypted data. Caching keys on a TPM in vSAN 7 U2 was limited to the use of the vSphere NKP.
Why TPM 2.0 Chips?
TPM chips are an affordable device that will allow for security conscious customers to address their security concerns much more easily. At less than $50 USD per module, the cost of TPMs are minimal, yet their functionality is significant. It is highly recommended that new hosts specifications should always include a TPM module in the bill of materials. Beyond encryption they have other security benefits such as host attestation.
In vSAN 7 U3, when using TPM 2.0 chips on all vSAN hosts in a cluster, any key issued (from a third party KMS or the vSphere NKP) that that is stored in the key cache, it will also be persisted to the TPM chip immediately. Upon reboot of the host, this key persistence feature would restore the key from the TPM chip to the key cache. Core dump encryption will occur in all circumstances when using TPM chips. Keys will always be attempted to be fetched from the key cache first. Even upon host restart, the TPM will restore the keys immediately. If there are no keys locally, then they will be retrieved from the KMS.
Operational activities related to key management do not change with the use of cached keys on TPM chips in the vSAN hosts. Examples of operational activities that are unchanged from this enhancement include:
- Enable/disable encryption
- Shallow rekey
- Deep rekey
- Remove Disk
How to enable
Key persistence is not enabled by default when using 3rd party KMS. This can be enabled via the following esxcli commands:
esxcli system settings encryption set --mode=TPM
esxcli system security keypersistence enable