Skip to main content
VMware vSphere is a virtualization platform that enables you to create, manage, and optimize virtual machines (VMs) and their resources on a single physical server or across a network of servers. vSphere is a core component of the VMware cloud computing and data center infrastructure solutions, enabling efficient resource management, high availability, and improved security through features such as vMotion, Distributed Resource Scheduler (DRS), High Availability (HA), and Fault Tolerance (FT). By consolidating multiple operating systems and applications onto fewer physical servers, vSphere helps organizations reduce hardware costs, simplify management, and enhance overall performance and scalability.

Key features

This integration has the following features:
  • Hypervisor-based virtualization: vSphere employs its ESXi hypervisor, providing a robust and secure foundation for virtualizing servers and running multiple operating systems on a single host machine.
  • Resource management: With features like Distributed Resource Scheduler (DRS) and vSphere High Availability, the platform optimizes resource allocation and ensures uninterrupted service availability.
  • Scalability and performance: vSphere is designed for scalability, offering features like auto-scaling and performance tuning to accommodate growing business needs.
  • Live migration: The vMotion feature enables live migration of virtual machines between hosts, minimizing downtime and improving resource optimization.
  • Storage virtualization: With vSphere, you can virtualize your storage environment by using features like Storage DRS and VSAN, enabling better resource usage and simplified management.
  • Security measures: vSphere incorporates various security features, including VM encryption, secure boot, and Trusted Platform Module (TPM) support, enhancing the security of your virtual environment.
  • Automated operations: Using AI-driven operations management, vSphere helps automate routine tasks, from workload balancing to predictive diagnostics.
  • Multi-cloud flexibility: vSphere enables seamless integration with various cloud services, offering the flexibility to run applications across on-premises, hybrid, or public cloud environments.
  • Monitoring and analytics: Comprehensive monitoring tools and dashboards provide real-time insights into performance and resource utilization, helping with proactive issue resolution.
  • Disaster recovery: With features like Site Recovery Manager and Fault Tolerance, vSphere ensures that your virtual machines and data are well-protected against hardware failures and other unexpected events.

Benefits of CryptoHub integration through the Key Management Interoperability Protocol (KMIP)

Integrating with CryptoHub provides the following benefits:
  • Enhanced security: Leveraging a CryptoHub for cryptographic key storage significantly boosts security, minimizing the risk of unauthorized key access and compromise.
  • Optimized performance: Using a CryptoHub designed for high-throughput cryptographic operations enhances VMware vSphere’s encryption and decryption processes.
  • Compliance advantage: The KMIP integration facilitates adherence to compliance regulations, like GDPR or FIPS, which mandate secure key management and data protection measures.
  • Operational resilience: CryptoHub comes with features such as high availability and failover, adding a layer of robustness to your vSphere environment.
  • Centralized key management: Using a CryptoHub streamlines the management of cryptographic keys, simplifying administration and improving security posture.

About VMware encryption

VMware vSphere encryption ( www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vsphere/vmw-wp-vsphere-virtual-machin-encryp.pdf) debuted in vSphere 6.5 and vSAN 6.6, enabling both virtual machine (VM) encryption and disk storage encryption. The required components are vCenter vSphere Server, a third-party Key Management Server (KMS), and ESXi hosts.

Encryption process flow

The following encryption process flow is essentially identical for VMs and vSAN clusters:
  1. Register the CryptoHub as aStandard Key Provider in the vSphere Client.
  2. Set up a domain of trust (mutual authentication) between vCenter Server and the KMS.
    • To do this, exchange TLS certificates between your KMS and vCenter Server to establish trust.
  3. vCenter Server requests a new key from the default key server when the user performs an encryption task, such as creating an encrypted virtual machine. The process uses this key as the KEK.
  4. vCenter Server stores the key ID and passes the key to the ESXi host. If the ESXi host is part of a cluster, vCenter Server sends the KEK to each host in the cluster.
    • The key itself is not stored on the vCenter Server system. Only the key ID is known.
  5. The ESXi host generates internal keys (DEKs) for the virtual machine and its disks. It keeps the internal keys only in memory and uses the KEKs to encrypt internal keys.
    • Unencrypted internal keys are never stored on disk. Only encrypted data is stored. Because the KEKs come from the key server, the host continues to use the same KEKs.
  6. The ESXi host uses the encrypted internal key to encrypt the virtual machine.
    • Any hosts that have the KEK and can access the encrypted key file can perform operations on the encrypted virtual machine or disk.