vSphere - VM Security

#VCP ## VM Encryption VM encryption is an essential feature in a datacenter that provides an additional layer of security for virtual disks. Can be set via Storage policy. Each VM that has the encryption Storage policy will be encrypted. There is no modification inside the OS required, the encryption is happening outised the guest OS, which means any guestOS is supported. The VMDKs will be encrypted itself and only with access to the KMS the VMs can be started. A random generated key is assigned to a VM upon encrpytion, that key is encrypted with the key from your key manager. When powering on a VM, vCenter is retrieving the key from the key manager and unlocks the key on the ESXi host. ![[_media/vSphere - VM Security2024-07-20.png|700]] ![[_media/vSphere - VM Security2024-07-20-1.png|700]] All IO coming out from the virtual SCI device goes through the encryption module before hitting the storage module ### Data encryption key (DEK) Randomly generated key that is created on the ESXi host which is encrypted by the KEK. ### Key encryption Key (KEK) unique key for each encrypted entity from the KMS or trusted key provider, needs to be retrieved to decrypt VMs/start VMs. The KEK is never known directly to the vCenter or the ESXi host but always retrieved from the Key provider. ### Requirements - External key server or vSphere Native Key Provider - Available Key management servers can be found in the HCL - Encryption Mode must be enabled on ESXi host ### Setup 1. Configure Key provider on vCenter 2. Enable Encryption mode on all ESXi hosts 3. Create Host based encryption Storage policy 4. Create a VM and enable it for encryption 1. for already existing VMs, the VM needs to be powered off first ### What is encrypted - VM files like VMSN, VSWP, NVRAM - VMDKs - ESXi Core Dumps - VM Swap file - vTPMs ### What is not encrypted - VMX configuration file - VM log files - VM descriptor file ## VM Secure Boot Standard that ensures that the VM boots only using software that is trusted by the manufacturer. Each piece of boot software is signed by the vendor (bootloader, OS kernel, OS drivers.) can be configured on a per VM level (Edit Settings - VM options) ### Requirements - OS supports UEFI&Secure boot - EFI enabled in Settings - VM HW Version 13 or later ## vTPM vTPM is a software based version of a TPM that is used in virtualized environments. It provides hardware based security related functions such as random number generation, attestation, key generation and more. It enables the guest OS to create and store private keys. They are not exposed to the guest operating system itself, therefore the attack surface on the VM itself is reduced. When vTPM is enabled it greatly reduces the risks of the secrets inside the VM being compromised when the VM itself is compromised. vTPM cna be configured even if your physical host does not have a TPM chip. ### Requirements/Restrictions - VM using EFI - VM Hardware version 14+ - vCenter 6.7+ for windows - vCenter 7U2 for Linux guest OS - VM encryption - Guest OS Win Server 2008 or later or Windows 7 and later, alternatively Linux - Trust authority configured - Key provider - When backing up a VM with enabled vTPM, the backup must include all virtual machine files including the .nvram file. Otherwise you won't be able to recover the VM. ### Backup restrictions ## Encrypted vMotion Can be configured to different levels on a VM level (Edit settings - VM Options - Encryption) ### Requirements/Limitations - when VMs are encrypted, encrypted vMotion is always used - you cannot turn it off - When using encrypted vMotion across vCenters instances, the vCenters must have the same key provider configured that was used to encrypt the VMs - for Standard key provider: Same key server - for vSphere Trust Authority service: same Trust Authority service - for vSphere Native Key Provider: Must have the same KDK - Required privileges - on Source/destination - Migrating: Cryptographic operations.Migrate on the virtual machine - Cloning: Cryptographic operations.Clone on the virtual machine - on Destination vCenter - Cryptographic operations.EncryptNew - Cryptographic operations.RegisterHost (if ESXi host is not in safe mode) - For migrating or Cloning Encrypted VMs across vCenter server instances, the following requirements are needed aswell - for standard key provers - Source/Destination vCenter must be on 7.0 or later - Source/Destination ESXi host must be on 6.7 or later - for trusted key provider - Trust authority service must be configured for destination host, destintation host must be attested. - Ecnryption cannnot change on migration - cannot migrate a vSphere Trust authority encrypted VM onto a non-trusted host. ### Levels Disabled: - Do not use encrypted vMotion Opportunistic: - use encrypted vMotion if source and destination hosts support it, otherwise vMotion is done unencrypted. Required: - only vMotion when source and destination hosts support it. ## Virtual machine Isolation You should isolate VMs running on segregated network traffic via VLANS. This isolates them from other virtual machines and the host system. ## Access Controls Access control is a fundamental step to insure a secured environment. vSphere provides several access controll mechanisms, including role-based access control (RBAC). By implementing access control you are restricting access to virtual machines and preventing unauthorized users to access sensitive data or making changes to VMs. ## UEFI & Secureboot Ensures that your VMs themselves boot using only software that is trusted by the manufacturer. ## Security patches and updates more than ever this is crucial today, many zero day vulnerabilites and ransomware are spreading fast only because of neglected patching. VMware regularly releases security updates for vSphere, by applying these fast administrators can keep VMs and vSphere safe. ## Intel Software Guard Extensions(vSGX) can be configured inside a VM, it provides additional security to your workloads. ### unsupported features with SGX enabled VMs - vMotion/DRS-Migration - Anhalten und Fortsetzen einer virtuellen Maschine - VM-Snapshots (VM-Snapshots werden unterstützt, wenn Sie keinen Snapshot für den Arbeitsspeicher der virtuellen Maschine erstellen.) - Fault Tolerance - Gastintegrität (GI, Plattformgrundlage für VMware AppDefense™ 1.0) ## Use Antivirus and Anti-Malware Software Antivirus and anti-malware are essential to securing your virtual machines from malware. vSphere 8.0 supports the use of third party antiviruas. ## Using templates Using templates ensures the same baseline across VMs wthout any risk of security related misconfiguraiton. It also allows for a more easy managable hardened VM Operating system. ## 🔗Resources ### VM Encryption KMS HCL - https://www.vmware.com/resources/compatibility/search.php?irclickid=weEzyjzZwxyKTBsT-hzcCXNUUkCxxPyFSSNy0U0&utm_source=affiliate&utm_medium=ONLINE_TRACKING_LINK_&utm_campaign=Online%20Tracking%20Link&utm_term=engine%3Aimpact%7Cpublisherid%3A2334778%7Ccampaignid%3A11461&irpid=2334778&irgwc=1 ### VM Encryption workflow with the different key providers - https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-4A8FA061-0F20-4338-914A-2B7A57051495.html