VMware software powers the world’s complex digital infrastructure. The company’s compute, cloud, mobility, networking and security offerings provide a dynamic and efficient digital foundation to over 500,000 customers globally, aided by an ecosystem of 75,000 partners. Headquartered in Palo Alto, California, this year VMware celebrates twenty years of breakthrough innovation benefiting business and society.
VMware vSAN, is an industry-leading flash-optimized secure storage platform that helps customers evolve to hyper-converged infrastructure (HCI). By pooling together server-attached storage, it provides a highly resilient and encrypted shared datastore suitable for any virtualized workload, including business-critical applications. vSAN lowers IT costs and provides an agile solution ready for future hardware, hybrid cloud offerings, and next-generation applications.
Delivering the industry’s first native HCI encryption solution, vSAN can leverage the CipherTrust Manager from Thales to provide the full range of protection for key management and role separation. The combined solution delivers non-disruptive encryption to ensure the security of data at rest in storage clusters. The combination provides a cost-effective and comprehensive solution that meets the most stringent security requirements. The use of software-based data encryption provides the flexibility to be deployed with any supported storage device and a wide range of servers.
The use of VMware vSAN with CipherTrust Manager enables a flexible key management root of trust to match the customer risk profile – from the virtualized infrastructure to a FIPS 140-2 Level 3 physical protected boundary.
VMware vSphere®, is an industry-leading virtualization platform that empowers users to scale-up and scale-out applications with confidence. vSphere helps you get the best performance, availability, and efficiency from your infrastructure and applications. It’s the ideal foundation for any cloud environment.
VMware vSphere VM Encryption is a feature introduced in vSphere 6.5 to enable the encryption of virtual machines. VM Encryption protects virtual machine files, virtual disk files, and core dump files by encrypting the input/output from the virtual machine before it gets stored in disk. The solution leverages the Key Management Interoperability Protocol (KMIP) for encryption key management and key vaulting.
vSphere enables a flexible key management root of trust to match the customer risk profile – from a software virtual appliance to a FIPS 140-2 Level 3 physical protected boundary. vSphere can be used with the CipherTrust Manager from Thales to provide the full range of protection for key management and role separation. The combined solution delivers non-disruptive encryption, ensuring the security of VMs, the applications they run, and the sensitive data they process. The combination provides a cost-effective and comprehensive solution that meets the most stringent security requirements. Leveraging hardware-based data encryption ensures no adverse impact to system performance.
TPM is a hardware level crytpo processor to secure the generation of cryptographic keys. For virtualized server environments, this functionality is provided in software via a virtual TPM (vTPM). VMware’s vSphere 6.7 adds support for TPM 2.0 hardware devices for ESXi hosts and also introduces virtual TPM (vTPM) 2.0 for Virtual Machines, ensuring integrity for both the hypervisor and the guest operating system (OS). VMware and the vSphere architecture provide this capability utilizing the following components:
- Implementation of Virtual Trusted Platform Modules (vTPMs) in a vSphere environment requires an external Key Management Server (KMS) utilizing KMIP
- Virtual Trusted Platform Modules (vTPMs) establish trust by enabling “Secure Boot” technology emulating a hardware based TPM
- vTPM data is securely stored in the virtual machine .nvram file, encrypted using VM encryption
NIST Special Publication 800-57 Part 2 Revision 1 recommends Moderate and High impact levels require a cryptographic module validated at FIPS 140 Level 3 or higher. Specifying utilizing a FIPS 140 Level 1 cryptographic module could adversely affect the organization’s ability to continue to engage in mission-critical processing and communications partnerships. FIPS requirement impact level of customer data (levels 1-3) and are deployed with high availability to support mission resiliency.
Thales TCT’s CipherTrust Manager is a VMware-certified KMS that protects vTMPs’ cryptographic keys in an external
hardware appliance. Thales TCT’s Enterprise Key Manager The Data Security Platform also supports an embedded hardware root of trust utilizing a FIPS 140-2 Level 3 Luna hardware security module. Developed for U.S. Government use, it is manufactured, sold, and supported in the U.S. exclusively by Thales TCT.
Read our DoD STIG Compliance Virtualization-Based Security – External Key Management Solution Brief for more information.