Professional Documents
Culture Documents
0
OPERATE, SCALE AND SECURE
Contents
Introduction ................................................................................................................................................ 3
Objectives.................................................................................................................................................... 3
Lab Topology ............................................................................................................................................... 4
Lab Settings ................................................................................................................................................. 5
1 Create and Backup a Native Key Provider .......................................................................................... 6
2 Add an ESXi Host to a Cluster ........................................................................................................... 11
3 Create and Encrypt a Virtual Machine .............................................................................................. 13
Introduction
In this lab, you will configure and backup a Native Key Provider (NKP) without the Trusted Platform
Module (TPM) protected ESXi hosts and encrypt a Virtual Machine (VM).
The NKP feature in vSphere does not require a physical TPM module on ESXi hosts for its functionality.
You simply need to disable the checkbox Use key provider only with TPM protected ESXi hosts during
configuration.
The NKP can be utilized to enable vTPM (virtual TPM) modules on all editions of vSphere, regardless of
whether your ESXi hosts have a physical TPM module or not. This means that even if your ESXi hosts do
not have TPM hardware, you can still leverage the security benefits of NKP.
However, if your ESXi hosts do have a TPM module, using NKP in conjunction with the hosts' TPM
modules can offer strengthened security measures. By utilizing the TPM module in combination with
NKP, you can further strengthen the security of your vSphere environment by leveraging the secure
key storage capabilities of the TPM hardware.
In summary, NKP can be used without a physical TPM module, but it can also provide additional
security benefits when used in conjunction with TPM modules on ESXi hosts, offering flexibility and
enhanced security options for vSphere deployments.
For lab purposes, you will not be utilizing TPM, so you can deselect the option
Use Key Provider only with TPM protected ESXi hosts during configuration.
Objectives
Lab Topology
Lab Settings
The information in the table below will be needed to complete the lab. The task sections beyond
provide details on the use of this information.
In this task, you will create and backup an NKP without utilizing TPM.
To launch the console window for a VM, either click on the VM’s
graphic image from the topology page or click on the VM’s respective
tab from the navigation bar.
2. Launch the Mozilla Firefox web browser by either clicking on the icon shortcut found on the
bottom toolbar or by navigating to Start Menu > Internet > Firefox Web Browser.
If the VMware Getting Started web page does not load, please wait
an additional 3-5 minutes, and refresh the page to continue. This is
because the vCenter Server Appliance is still booting up and requires
extra time to initialize.
4. To log in to the vCenter Server Appliance, enter sysadmin@vclass.local as the username and
NDGlabpass123! as the password. Click LOGIN.
5. In the navigation pane, ensure that you are on the Hosts and Clusters tab. Expand and select sa-
vcsa.vclass.local. Click the Configure tab, and navigate to Security > Key Providers.
6. In the Key Providers pane, click ADD. Select Add Native Key Provider.
7. In the Add Native Key Provider window, for the Name, enter NKP-no-TPM. Deselect Use key provider
only with TPM protected ESXi hosts (Recommended). Click ADD KEY PROVIDER.
8. In the Key Providers pane, select NKP-no-TPM. Notice that the Status indicates it is Not backed up.
9. In the Provider NKP-no-TPM – Key Management Servers pane, click BACK UP.
10. In the Back up Native Key Provider window, select Protect Native Key Provider data with password
(Recommended). For both password fields, enter NDGlabpass123!. Select I have saved the
password in a secure place and click BACK UP KEY PROVIDER.
For lab purposes, you will not copy the password. Normally it is highly
recommended to copy the password and keep it in a secure location for
disaster recovery.
11. In the Save window, select Desktop. Verify that the Name is NKP-no-TPM.p12 and click Save.
12. In the Key Providers pane, notice that NKP-no-TPM has an Active Status.
13. Leave the vSphere Client open, and continue to the next task.
The requirement for an ESXi host to be part of a cluster in order to use the NKP for encrypting a VM is
due to the way the encryption process is managed and coordinated within the virtualization
environment.
When using the NKP for VM encryption in VMware vSphere, the encryption keys are generated and
managed by the vCenter Server, which is the central management component for vSphere clusters. The
vCenter Server acts as the Key Management Server (KMS), and is responsible for generating and
distributing the encryption keys to the ESXi hosts in the cluster.
When a VM is encrypted, the encryption keys are stored in the vCenter Server's key database, and are
distributed to the ESXi hosts in the cluster where the VM is running. The ESXi hosts use these
encryption keys to encrypt and decrypt the VM's data on the local storage.
In a vSphere cluster, the ESXi hosts are part of a unified management domain and are managed
collectively by the vCenter Server. This allows for centralized management and coordination of various
operations, including VM encryption using the NKP. By requiring the ESXi host to be part of a cluster,
the vCenter Server can efficiently manage the generation, distribution, and revocation of encryption
keys for VMs in a coordinated manner.
Additionally, using a cluster allows for high availability and fault tolerance of VMs. If an ESXi host fails
or is taken offline, the VMs can be automatically migrated to other hosts in the cluster, ensuring
continued access to the encrypted VMs and their data without interruption.
In summary, requiring an ESXi host to be part of a cluster to use the NKP for VM encryption in vSphere
allows for centralized management, coordinated key distribution, and high availability of encrypted
VMs. It ensures efficient and reliable encryption operations within the virtualization environment.
1. In the navigation pane, ensure that you are on the Hosts and Clusters tab. Expand OSS-Datacenter
and select sa-esxi-01.vclass.local.
4. Leave the vSphere Client open, and continue to the next task.
Creating and encrypting a VM in a virtualization environment can provide several benefits, including
increased data security, compliance with regulatory requirements, and protection against
unauthorized access.
Data Security: Encrypting a VM helps protect the confidentiality and integrity of the data stored
within the VM. It ensures that the data is encrypted and can only be accessed by authorized
users with the appropriate encryption keys. This helps prevent unauthorized access to sensitive
data, such as personal information, financial data, or intellectual property, in case of data
breaches or unauthorized access to the virtualization environment.
Compliance: Encrypting VMs can help organizations meet regulatory requirements for data
protection and privacy, such as the General Data Protection Regulation (GDPR), Health
Insurance Portability and Accountability Act (HIPAA), or Payment Card Industry Data Security
Standard (PCI DSS). Encrypting VMs can be a part of an organization's overall data protection
strategy to comply with industry regulations and protect sensitive data.
Access Control: Encrypting VMs can help prevent unauthorized access to VMs and their data.
Encryption adds an additional layer of security, as it requires the appropriate encryption keys to
be entered before the VM can be accessed. This helps protect VMs from unauthorized users,
such as malicious insiders or unauthorized external parties who may gain access to the
virtualization environment.
Data Confidentiality: Encrypting VMs helps protect the confidentiality of the data stored within
the VM, as the data is encrypted and can only be accessed with the appropriate encryption
keys. This helps prevent data leakage or unauthorized data access in case of unauthorized
access to the virtualization environment or VM theft.
Data Privacy: Encrypting VMs can help ensure the privacy of data, especially in multi-tenant
virtualization environments where multiple VMs from different users or organizations are
hosted on the same physical infrastructure. Encrypting VMs can help prevent unauthorized
access to data from other VMs, ensuring data privacy and isolation between different VMs.
In summary, creating and encrypting VMs in a virtualization environment provides increased data
security, helps meet regulatory requirements, enhances access control, protects data confidentiality,
and ensures data privacy. It can be a critical component of an organization's overall data protection
strategy in virtualized environments.
2. In the New Virtual Machine window, Select a creation type step, leave Create a new virtual machine
selected. Click NEXT.
3. On the Select a name and folder step, enter EVM-01 for the Virtual machine name. Click NEXT.
4. On the Select a compute resource step, ensure that sa-esxi-01.vclass.local is selected. Click NEXT.
5. On the Select storage step, select Encrypt this virtual machine. From the VM Storage Policy
dropdown menu, select VM Encryption Policy. Select iSCSI-Datastore and click NEXT.
7. On the Select a guest OS step, for the Guest OS Family, select Linux from the dropdown menu. In
the Guest OS Version dropdown menu, select Ubuntu Linux (64-bit). Click NEXT.
8. On the Customize hardware step, change the New Hard disk size to 1 GB. Click NEXT.
10. Monitor the Recent Tasks pane, and verify that the Create virtual machine task has been
completed.
11. In the navigation pane, select the EVM-01 virtual machine. Ensure you are on the Summary tab.
12. In the EVM-01 VM window, locate the Virtual Machine Details pane. Confirm that EVM-01 has
been Encrypted with a native key provider. Lastly, hover over the Lock icon and notice that the VM
configuration files are encrypted.
By encrypting the VM’s configuration files, the information stored in these files
is scrambled or encoded using cryptographic algorithms, making it unreadable
to unauthorized users or processes. Only authorized users or processes with
the appropriate decryption keys can access and modify the configuration files.
13. The lab is now complete; you may end your reservation.