VMWARE VSPHERE 8.

0
OPERATE, SCALE AND SECURE

Lab 20: Creating an Encrypted Virtual Machine

Document Version: 2023-05-30

Copyright © 2023 Network Development Group, Inc.

www.netdevgroup.com

NETLAB+ is a registered trademark of Network Development Group, Inc.

VMware is a registered trademark of VMware, Inc.

Lab 20: Creating an Encrypted Virtual Machine

Contents
Introduction ................................................................................................................................................ 3
Objectives.................................................................................................................................................... 3
Lab Topology ............................................................................................................................................... 4
Lab Settings ................................................................................................................................................. 5
1 Create and Backup a Native Key Provider .......................................................................................... 6
2 Add an ESXi Host to a Cluster ........................................................................................................... 11
3 Create and Encrypt a Virtual Machine .............................................................................................. 13

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 2

Lab 20: Creating an Encrypted Virtual Machine

Introduction

In this lab, you will configure and backup a Native Key Provider (NKP) without the Trusted Platform
Module (TPM) protected ESXi hosts and encrypt a Virtual Machine (VM).

The NKP feature in vSphere does not require a physical TPM module on ESXi hosts for its functionality.
You simply need to disable the checkbox Use key provider only with TPM protected ESXi hosts during
configuration.

The NKP can be utilized to enable vTPM (virtual TPM) modules on all editions of vSphere, regardless of
whether your ESXi hosts have a physical TPM module or not. This means that even if your ESXi hosts do
not have TPM hardware, you can still leverage the security benefits of NKP.

However, if your ESXi hosts do have a TPM module, using NKP in conjunction with the hosts' TPM
modules can offer strengthened security measures. By utilizing the TPM module in combination with
NKP, you can further strengthen the security of your vSphere environment by leveraging the secure
key storage capabilities of the TPM hardware.

In summary, NKP can be used without a physical TPM module, but it can also provide additional
security benefits when used in conjunction with TPM modules on ESXi hosts, offering flexibility and
enhanced security options for vSphere deployments.

For lab purposes, you will not be utilizing TPM, so you can deselect the option
Use Key Provider only with TPM protected ESXi hosts during configuration.

Objectives

 Create and Backup an NKP

 Add an ESXi Host to a Cluster
 Create and Encrypt a Virtual Machine (VM)

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 3

Lab 20: Creating an Encrypted Virtual Machine

Lab Topology

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 4

Lab 20: Creating an Encrypted Virtual Machine

Lab Settings

The information in the table below will be needed to complete the lab. The task sections beyond
provide details on the use of this information.

Virtual Machine IP Address Account Password

sa-student eth0: 172.20.10.80 sysadmin NDGlabpass123!

sa-vcsa eth0: 172.20.10.94 sysadmin@vclass.local NDGlabpass123!

sa-esxi-01 eth0: 172.20.10.51 root NDGlabpass123!

sa-esxi-02 eth0: 172.20.10.52 root NDGlabpass123!

sa-esxi-03 eth0: 172.20.10.53 root NDGlabpass123!

sa-aio eth0: 172.20.10.10 sysadmin NDGlabpass123!

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 5

Lab 20: Creating an Encrypted Virtual Machine

1 Create and Backup a Native Key Provider

In this task, you will create and backup an NKP without utilizing TPM.

1. Launch the sa-student VM to access the graphical login screen.

To launch the console window for a VM, either click on the VM’s
graphic image from the topology page or click on the VM’s respective
tab from the navigation bar.

2. Launch the Mozilla Firefox web browser by either clicking on the icon shortcut found on the
bottom toolbar or by navigating to Start Menu > Internet > Firefox Web Browser.

3. In Firefox, click LAUNCH VSPHERE CLIENT.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 6

Lab 20: Creating an Encrypted Virtual Machine

If the VMware Getting Started web page does not load, please wait
an additional 3-5 minutes, and refresh the page to continue. This is
because the vCenter Server Appliance is still booting up and requires
extra time to initialize.

4. To log in to the vCenter Server Appliance, enter sysadmin@vclass.local as the username and
NDGlabpass123! as the password. Click LOGIN.

5. In the navigation pane, ensure that you are on the Hosts and Clusters tab. Expand and select sa-
vcsa.vclass.local. Click the Configure tab, and navigate to Security > Key Providers.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 7

Lab 20: Creating an Encrypted Virtual Machine

6. In the Key Providers pane, click ADD. Select Add Native Key Provider.

7. In the Add Native Key Provider window, for the Name, enter NKP-no-TPM. Deselect Use key provider
only with TPM protected ESXi hosts (Recommended). Click ADD KEY PROVIDER.

8. In the Key Providers pane, select NKP-no-TPM. Notice that the Status indicates it is Not backed up.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 8

Lab 20: Creating an Encrypted Virtual Machine

9. In the Provider NKP-no-TPM – Key Management Servers pane, click BACK UP.

10. In the Back up Native Key Provider window, select Protect Native Key Provider data with password
(Recommended). For both password fields, enter NDGlabpass123!. Select I have saved the
password in a secure place and click BACK UP KEY PROVIDER.

For lab purposes, you will not copy the password. Normally it is highly
recommended to copy the password and keep it in a secure location for
disaster recovery.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 9

Lab 20: Creating an Encrypted Virtual Machine

11. In the Save window, select Desktop. Verify that the Name is NKP-no-TPM.p12 and click Save.

12. In the Key Providers pane, notice that NKP-no-TPM has an Active Status.

13. Leave the vSphere Client open, and continue to the next task.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 10

Lab 20: Creating an Encrypted Virtual Machine

2 Add an ESXi Host to a Cluster

In this task, you will add an ESXi host to a cluster.

The requirement for an ESXi host to be part of a cluster in order to use the NKP for encrypting a VM is
due to the way the encryption process is managed and coordinated within the virtualization
environment.

When using the NKP for VM encryption in VMware vSphere, the encryption keys are generated and
managed by the vCenter Server, which is the central management component for vSphere clusters. The
vCenter Server acts as the Key Management Server (KMS), and is responsible for generating and
distributing the encryption keys to the ESXi hosts in the cluster.

When a VM is encrypted, the encryption keys are stored in the vCenter Server's key database, and are
distributed to the ESXi hosts in the cluster where the VM is running. The ESXi hosts use these
encryption keys to encrypt and decrypt the VM's data on the local storage.

In a vSphere cluster, the ESXi hosts are part of a unified management domain and are managed
collectively by the vCenter Server. This allows for centralized management and coordination of various
operations, including VM encryption using the NKP. By requiring the ESXi host to be part of a cluster,
the vCenter Server can efficiently manage the generation, distribution, and revocation of encryption
keys for VMs in a coordinated manner.

Additionally, using a cluster allows for high availability and fault tolerance of VMs. If an ESXi host fails
or is taken offline, the VMs can be automatically migrated to other hosts in the cluster, ensuring
continued access to the encrypted VMs and their data without interruption.

In summary, requiring an ESXi host to be part of a cluster to use the NKP for VM encryption in vSphere
allows for centralized management, coordinated key distribution, and high availability of encrypted
VMs. It ensures efficient and reliable encryption operations within the virtualization environment.

1. In the navigation pane, ensure that you are on the Hosts and Clusters tab. Expand OSS-Datacenter
and select sa-esxi-01.vclass.local.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 11

Lab 20: Creating an Encrypted Virtual Machine

2. Drag and drop sa-esxi-01.vclass.local to the Lab Cluster.

3. Expand Lab Cluster and verify that sa-esxi-01.vclass.local is in the cluster.

4. Leave the vSphere Client open, and continue to the next task.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 12

Lab 20: Creating an Encrypted Virtual Machine

3 Create and Encrypt a Virtual Machine

In this task, you will create and encrypt a VM.

Creating and encrypting a VM in a virtualization environment can provide several benefits, including
increased data security, compliance with regulatory requirements, and protection against
unauthorized access.

 Data Security: Encrypting a VM helps protect the confidentiality and integrity of the data stored
within the VM. It ensures that the data is encrypted and can only be accessed by authorized
users with the appropriate encryption keys. This helps prevent unauthorized access to sensitive
data, such as personal information, financial data, or intellectual property, in case of data
breaches or unauthorized access to the virtualization environment.
 Compliance: Encrypting VMs can help organizations meet regulatory requirements for data
protection and privacy, such as the General Data Protection Regulation (GDPR), Health
Insurance Portability and Accountability Act (HIPAA), or Payment Card Industry Data Security
Standard (PCI DSS). Encrypting VMs can be a part of an organization's overall data protection
strategy to comply with industry regulations and protect sensitive data.
 Access Control: Encrypting VMs can help prevent unauthorized access to VMs and their data.
Encryption adds an additional layer of security, as it requires the appropriate encryption keys to
be entered before the VM can be accessed. This helps protect VMs from unauthorized users,
such as malicious insiders or unauthorized external parties who may gain access to the
virtualization environment.
 Data Confidentiality: Encrypting VMs helps protect the confidentiality of the data stored within
the VM, as the data is encrypted and can only be accessed with the appropriate encryption
keys. This helps prevent data leakage or unauthorized data access in case of unauthorized
access to the virtualization environment or VM theft.
 Data Privacy: Encrypting VMs can help ensure the privacy of data, especially in multi-tenant
virtualization environments where multiple VMs from different users or organizations are
hosted on the same physical infrastructure. Encrypting VMs can help prevent unauthorized
access to data from other VMs, ensuring data privacy and isolation between different VMs.

In summary, creating and encrypting VMs in a virtualization environment provides increased data
security, helps meet regulatory requirements, enhances access control, protects data confidentiality,
and ensures data privacy. It can be a critical component of an organization's overall data protection
strategy in virtualized environments.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 13

Lab 20: Creating an Encrypted Virtual Machine

1. In the navigation pane, right-click on sa-esxi-01.vclass.local. Click on New Virtual Machine.

2. In the New Virtual Machine window, Select a creation type step, leave Create a new virtual machine
selected. Click NEXT.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 14

Lab 20: Creating an Encrypted Virtual Machine

3. On the Select a name and folder step, enter EVM-01 for the Virtual machine name. Click NEXT.

4. On the Select a compute resource step, ensure that sa-esxi-01.vclass.local is selected. Click NEXT.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 15

Lab 20: Creating an Encrypted Virtual Machine

5. On the Select storage step, select Encrypt this virtual machine. From the VM Storage Policy
dropdown menu, select VM Encryption Policy. Select iSCSI-Datastore and click NEXT.

6. On the Select Compatibility step, click NEXT.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 16

Lab 20: Creating an Encrypted Virtual Machine

7. On the Select a guest OS step, for the Guest OS Family, select Linux from the dropdown menu. In
the Guest OS Version dropdown menu, select Ubuntu Linux (64-bit). Click NEXT.

8. On the Customize hardware step, change the New Hard disk size to 1 GB. Click NEXT.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 17

Lab 20: Creating an Encrypted Virtual Machine

9. On the Ready to complete step, review the configuration. Click FINISH.

10. Monitor the Recent Tasks pane, and verify that the Create virtual machine task has been
completed.

11. In the navigation pane, select the EVM-01 virtual machine. Ensure you are on the Summary tab.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 18

Lab 20: Creating an Encrypted Virtual Machine

12. In the EVM-01 VM window, locate the Virtual Machine Details pane. Confirm that EVM-01 has
been Encrypted with a native key provider. Lastly, hover over the Lock icon and notice that the VM
configuration files are encrypted.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 19

Lab 20: Creating an Encrypted Virtual Machine

Encrypting a VMs configuration files in vSphere, a virtualization platform by

VMware, serves as a security measure to protect sensitive information and
ensure the confidentiality and integrity of VM settings.

The configuration files of a VM contain important information such as the

virtual hardware settings, virtual device configurations, VM options, and other
configuration details that define how the VM operates within the vSphere
environment. These configuration files are stored on the ESXi host's local
storage or shared storage, and they may also be backed up or transferred
across the network.

Encrypting the VM’s configuration files helps safeguard this sensitive

information from unauthorized access or tampering. It helps prevent data
breaches, unauthorized modifications, and other security threats that could
compromise the confidentiality or integrity of the VM’s settings.

By encrypting the VM’s configuration files, the information stored in these files
is scrambled or encoded using cryptographic algorithms, making it unreadable
to unauthorized users or processes. Only authorized users or processes with
the appropriate decryption keys can access and modify the configuration files.

Encrypting the VM’s configuration files provides an additional layer of security

to protect VM settings, particularly in scenarios where VMs are stored on
shared storage or transferred across the network. It helps ensure that only
authorized users or processes can access and modify the VM’s configuration
settings, reducing the risk of unauthorized access, tampering, or data
breaches.

13. The lab is now complete; you may end your reservation.

6/26/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 20