This is something I have been thinking on for a while. And I have talked to a lot of people about it. I think I know how it works and I am going to write it down here. I will update this as I get to test things. Any comments or corrections or suggestions welcome.
Note: vSphere 6.5 came out Tuesday November 15, and Veeam B&R 9.5 came out Wednesday November 16. Both are releases that started small, and ended up big. Veeam is working hard to support vSphere 6.5 but with the number of new things in it – that you can see and you cannot see – it will take us a bit. Officially it is 30 – 60 days – but really I can say it will take as long as it needs plus about 2 days.
How to backup an Encrypted VM
- You will likely need to upgrade your backup software to a version that supports vSphere 6.5.
- You will need to have your software inside a VM, and that VM will need to be encrypted.
- The account that your software runs on, or talks to vCenter with, needs to have an extra right / permission. This is on top of what they normally need. This right is Cryptographer.DirectAccess. As I start testing this I will add screen shots.
- This will allow the backup software to backup the encrypted VM but it will NOT be encrypted after the backup.
- The backup software should likely encrypt the VM as it is backed up.
How to restore a complete encrypted VM
- You will need to have the steps above complete!
- You will restore your VM, and as that is done the backup software encryption will be removed, and as part of the restore you will select a policy that is the encryption policy – if that is appropriate. So the encrypted backup will be decrypted as it is written out and encrypted (by vSphere) as it is written.
I believe this is correct but, I need to test it. There are some other questions too:
- How will a restore work – or will it work, if the VM being restored is already in the vSphere 6.5 world? Before 6.5 this was common and it means the restore was faster since some of the bits are there. I think that this may not work? Workaround will be easy if so – delete the existing VM and restore. Update: Correct, will not work.
- Will restore a file to an encrypted VM work? Think not, but you never know.
- Will restore a file to anywhere work? Think not, but you never know.
- Instant restore a VM – will it work? Not sure.
With what I see in the world today – it is very good that VMware has provided us customers with a very nice option for encrypting the VMs. I am very impressed with the architecture and functionality, but now I need to see how backups and restores work!
Here is an article that is a good collection of vSphere 6.5 security articles / info and I am told it will be updated as time goes on – thanks Mike. vSphere 6.5 doesn’t just have encryption but Secure Boot, and actionable log messages too so it is a big security release for sure.
I will update this document as I learn more, and feel free to ask questions or comment.
- 2/1/17 – I have upgraded my lab to vSphere 6.5, and am working on testing this article out. However, I have hit an issue with one of my servers. It is a Dell R710 and it is not supported for VM Encryption so that makes it hard to test the backup of encrypted VMs out since it is part of my cluster. In fact I have a few of them! Anyone want to buy one? I am building out my work lab next week and will finish off testing at that time. In fact, I will have suggestions to make this better and some very useful info.
- 12/18/16 – if you want to enable or work with VM encryption using PowerCLI this article will help.
- 11/24/16 – saw this article that looks at encrypted VM performance and it is quite interesting too. Good info on performance but also quite good on background info.
- 11/19/16 – added link for video on encrypting disks, and this one on setting up a KMS.
- 11/18/16 – updated for the restore over encrypted not working. Thanks Mike!
=== END ===