What’s New vSphere 6.5 – Security

Things are really changing at VMware with respect to the Security enhancements and vSphere 6.5 can be considered as a major release that introduces many interesting features related to Security. So, let’s jump in.

VM Encryption

This is going to be a major breakthrough, vSphere 6.5 introduced VM encryption and every VM file and vmdk is encrypted. Encrytion is done by the ESXi kernel module and hence this is Operating System independent and any VM can be encrypted. Such a lovely feature! Adding to this, encrypting a VM is more simple than you think, this is just applied by a policy in VM Policies setting and that’s it, VM will be encrypted. Thanks to the Team at VMware for making things easier for all of us. KMIP 1.1 is the Key Management used and vCenter Server runs the KMIP client but do not persist the Keys.

2016-11-10-07_21_20-whats-new-in-vsphere-6-5_-security-vmware-vsphere-blog

vMotion Encryption

vSphere 6.5 introduces vMotion Encryption at per VM level giving the users more flexibility. No certificate management is involved here. When a vMotion is initiated, a one time random 256-bit key  and a 64 Nonce is generated by vCenter and packed into the migration specification sent to both hosts. VMs with encryption applied using policy is by default enabled with vMotion Encryption and for unencrypted VMs, you can explicitly enable vMotion Encryption.

2016-11-10 07_32_52-What's new in vSphere 6.5_ Security - VMware vSphere Blog.jpg

ESXi and VM Secure Boot

vSphere 6.5 introduced Secure Boot at both ESXi and VM level. Secure Boot validates the digital signature of the ESXi kernel against a digital certificate in the UEFI firmware. Digital Certificate at kernel validates each VIB against the firmware based certificate and hence only digitally signed certificates can be loaded to kernel enhancing security further. Secure Boot VM is also the same and only allows digitally signed drivers to load into the virtual machine. To enable Secure Boot at VM level, VM must be configured to use EFI firmware and after that its just a check box.

2016-11-10 08_11_52-What's new in vSphere 6.5_ Security - VMware vSphere Blog.jpg

The VM Operating System must support the Secure Boot to use this feature. Most of the Windows and Linux flavours do now a days.

Actionable Logging

With vSphere 6.5 Logging has been enhanced and more details are knows from the logs than earlier. The events now show what has changed, what it changed from and what it changed to and who did it. This is more helpful in troubleshooting and VMware solutions like Log Insight can take advantage of this.

Hope this was informative. Thanks!

©Pic Courtesy : VMware Press

Advertisements

#actionable-logging, #efi, #esxi-secure-boot, #kmip-1-1, #vm-encryption, #vmotion-encryption, #vsphere-6-5, #whats-new