VMware vSphere is famous for its performance and also devotes to guaranteeing data security.
To prevent all kinds of cyberattacks and data leakage, data encryption is one the effective solutions. vSphere allows users to configure vSAN Encryption, VM Encryption, vTPM, etc. to protect virtual environment, while the whole encryption process is not so convenient, so that they release the vSphere Native Key Provider to simplify the process.
What is vSphere Native Key Provider?
vSphere Native Key Provider is a feature in vSphere 7.0 Update 2 and later and is used to enable encryption technologies like vTPM.
Before the release of vSphere Key Provider, an external key server is needed to use features like vSAN Encryption, VM Encryption, and vTPM. vCenter will fetch the keys from the external key server and distribute them to the ESXi host. With proper configuration, the ESXi host can also fetch the keys directly.
However, with vSphere Native Key Provider, the external server is no longer a must for data encryption in vSphere. The new process is like this:
vCenter server generates a primary key > vCenter Server pushes it to all ESXi hosts in the cluster > ESXi hosts generate data encryption keys
It can be used on all the versions of vSphere (7.0 Update 2 and later ) but a license for VMware vSphere Enterprise Plus Edition is required to encrypt vSphere VM.
P.S. vSphere VM backup can be also simply encrypted by Vinchin Backup & Recovery to improve data security.
How to set up vSphere Native Key Provider?
vSphere Native Key Provider should be configured before any encryption tasks start.
1. Log in to vCenter > select the vCenter instance
2. On the right, click Configure
3. Under Security, select Key Providers
4. Give a name for the vSphere Native Key Provider. You can check Use Key provider only with TPM protected ESXi hosts to let only TPM use this vSphere Native Key Provider > click Add Key Provider
How to backup and restore vSphere Native Key Provider?
vSphere Native Key Provider is important for vSphere encryption so it is needed to be backed up.
1 Log in to vCenter > go back to where you add the vSphere Native Key Provider
2 Click Back Up
3 Check Protect Native Key Provider data with password > input a password and this password will be used for vSphere Native Key Provider recovery > check I have saved the password in a secure place > click Back Up Key Provider
The backup file PKCS#12 format will be automatically generated and downloaded to the local machine.
If there is no response after you click Back Up Key Provider or the task couldn’t start for some reason, the cause might that you access the H5 UI via the IP address of the vCenter Server. Try accessing the vSphere UI via the fully qualified domain name.
To restore the VM when it is necessary, just go back to where you add the vSphere Native Key Provider > click Restore > click Browse to select the PKCS#12 file > input the password > click Next > click Finish
How to encrypt vSphere VM backup?
VMs in production environment is vitally important so they need to be backed up. The simplest way to backup the VM is exporting VM and saving them in a secure place. You can simply encrypt the folder by giving it a password while the security level is not enough because the attacker can easily decrypt the folder. To increase the security level of backup system, you need the professional backup and disaster recovery solution Vinchin Backup & Recovery.
Vinchin Backup & Recovery will let you backup vSphere VM agentlessly and provide many backup strategies to make VM backup in every way. One of the strategies is data encryption. You can input a password for the VM backup.
Compared with ordinary encryption technology in operating system, Vinchin Backup & Recovery will provide more comprehensive protection to virtual environment because the backup data transmission can be also encrypted. When data is transmitted over LAN, SSL can be used to encrypt the transmitted data.
In addition, Vinchin Backup & Recovery will be very helpful for ransomware protection because only Vinchin applications can write data into the backup storage.
Vinchin Backup & Recovery has helped thousands of companies protect their virtual environment. You can also start to use this powerful system with a 60-day full-featured free trial. Just click the button to get the installation package.
Sum Up
VMware vSphere has provided many encryption technologies to help protect virtual environment but they used to require an external key server. With vSphere Native Key Provider, the external key server is no longer needed so users can use encryption technologies more conveniently.
VM backup also needs to be encrypted. To increase the security level, you can choose the professional backup and disaster recovery solution Vinchin Backup & Recovery. Don’t miss the free trial.
