Note:

Encrypt virtual machines using Entrust KeyControl and VMware vSphere® with Oracle Cloud VMware Solution

Introduction

This tutorial provides an operational overview of how to use the Entrust KeyControl 5.4 Solution with the Oracle Cloud VMware Solution software defined data center (SDDC) cluster. The focus of this tutorial is to provide the available options and highlight the ‘how-to’ steps required for using the Entrust KeyControl with Oracle Cloud VMware Solution.

Oracle and VMware have developed a fully certified and supported SDDC solution called Oracle Cloud VMware Solution. This solution uses Oracle Cloud Infrastructure (OCI) to host a highly available VMware SDDC. It also allows seamless migration of on-premises VMware SDDC workloads to Oracle Cloud Infrastructure.

Why VM encryption?

To fully unlock all the advantages of virtualization, it’s important to have a security posture in place that is uniquely designed to protect your virtualized environment. Encrypting VMs provides a high level of security you can count on to keep critical data safe.

Prerequisites

Objective

Encrypt virtual machines using Entrust KeyControl and VMware vSphere® encryption policies with Oracle Cloud VMware Solution

Task 1: Select the VM for encryption

  1. Log in to the Oracle Cloud VMware Solution Virtual Center Appliance (VCSA).

  2. Right click a VM and select VM Policies, and then click Edit VM Storage Policies.

    EDIT VM STORAGE POLICIES

    Note:

    • The VM storage policy drop-down list is displayed.
    • Follow the relevant steps described in Task 2: Encrypt the entire VM or Encrypt specific VMware Virtual Machine Disk File (VMDK) depending on whether you want to encrypt the entire VM or encrypt specific VMDKs.

Task 2: Encrypt the entire VM or Encrypt specific VMDKs

Ensure that the VM is powered off and follow the relevant steps described in this section depending on whether you want to encrypt the entire VM or encrypt specific VMDKs.

Encrypt the entire VM

  1. Select VM Encryption Policy from the VM storage policy drop-down list and click OK.

    VM ENCRYPTION POLICY

    Note:

    • During this phase VMware vCenter requests an encryption key from Entrust KeyControl and presents it to the ESX host where the VM is assigned. This key is referred to as the Key Encryption Key (KEK).
    • The ESX host creates a Data Encryption Key (DEK) and protects it by wrapping the DEK with the KEK.
    • Then the ESX host begins encrypting it.

Encrypt specific VMDKs

  1. Enable the Configure per disk option. The color changes to green when per-VMDK selection is enabled.

    ENCRYPT INDIVIDUAL VMDKs

  2. Select VM Encryption Policy from the VM storage policy drop-down list for each VMDK you want to encrypt.

  3. For VM home, select VM Encryption Policy from the VM storage policy drop-down list.

    Note : You will NOT be able to move past this step if you do not select the same policy for VM home.

  4. After you have selected the VM Encryption Policy for each VMDK and VM home, click OK.

    Note:

    • During this phase VMware vCenter requests an encryption key from KeyControl and presents it to the ESX host where the VM is assigned. This key is referred to as the Key Encryption Key (KEK).
    • The ESX host creates a Data Encryption Key (DEK) and protects it by wrapping the DEK with the KEK.
    • Then the ESX host begins encrypting it.

Next steps

Once the VM encryption is complete, the encryption status for the VM displays: Encrypted with standard key provider.

ENCRYPT INDIVIDUAL VMDKs

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.