Just wanted to share the Virtually Speaking Podcast with you, this episode (32) is on the topic of VVol 2.0 and features Pete Flecha, Ben Meadowcroft (PM for VVol) and I. Make sure to listen to it, it has some good info on where VVol is today and where it may be going in the near future!
More and more people are starting to ask me what the difference is between VMCrypt aka VM Encryption and the beta feature we announced not to long ago called vSAN Encryption. (Note, we announced a beta, no promises were made around dates or actual releases or releasing of the feature.) Both sounds very much the same and essential both end up encrypting the VM but there is a big difference in terms of how it is implemented. There are advantages and disadvantages to both solutions. Lets look at VM Encryption first.
VM Encryption is implemented through VAIO (vSphere APIs for IO Filters). The VAIO framework allows a filter driver to do “things” to/with the IO that a VM sends down to a device. One of these things is encryption. Now before I continue, take a look at this picture of where the filter driver sits.
As you can see the filter driver is implemented in the User World and the action against the IO is taken at the top level. If this for instance is encryption then any data send across the wire is already encrypted. Great in terms of security of course. And all of this can be enabled through policy. Simply create the policy, select the VM or VMDK you want to encrypt and there you go. So if it is that awesome, why vSAN Encryption?
Well the problem is that all IO is encrypted at the top level. This means that it is received in the vSAN write buffer fully encrypted, then the data at some point needs to be destaged and is deduplicated and compressed (in all-flash). As you can imagine, encrypted blocks do not dedupe (or compress) well. As such in an all-flash environment with deduplication and compression enabled any VM that has VM Encryption through VAIO enabled will not provide any space savings.
With vSAN Encryption this will be different. The way it will work is that it will provide “encryption at rest”. The data travels to the destination unencrypted then when it reaches its destination it is written encrypted to the cache tier, then it is decrypted before it is destaged, and it will be encrypted after it is deduplicated and/or compressed again. This means that you will benefit from space saving functionality, however encryption in this case is a cluster wide option, which means that every VM will be encrypted, which may not be desirable.
So in short:
- VM Encryption (VAIO)
- Policy based (enable per VM)
- Data travels encrypted
- No/near zero dedupe
- vSAN Encryption
- Enabled on a cluster level
- Data travels unencrypted, but it is written encrypted to the cache layer
- Full compatibility with vSAN data services
I hope that clarifies why we announced the beta of vSAN Encryption and what the difference is with VM Encryption that is part of vSphere 6.5.
What a crazy week, VMworld. Many announcements by many different vendors and of course a kazillion blog posts. I picked a few which stood out to me and which are worth reading.
- VMworld VMare Code hackathon to hit Barcelona 2016 by Alan Renouf
The US version of the hackathon was a big success, and I expect nothing less in EMEA to be honest. Read Alan’s article to get a feeling / idea around what it was like and make sure to sign up if you have a good idea, or want to join an existing team!
- VMware Virtual SAN 6.2 All NVMe Flash Array with Intel® SSD P3520 Sets New Record
I just like reading these types of posts, what can a config like this lead to. Sometimes people say ‘well how realistic is the config?’ I actually have a customer deploying this exact configuration today.
- Dell Technologies = Facemeltingly Awesome, but shall we talk frankly? by Chad Sakac
A lengthy post on the Dell/EMC merger by Chad. He is in the middle of it and I always enjoy reading his thoughts.
- VMware PowerCLI for Mac OS X, Linux & More? Yes, please! by William Lam
Quick post on something very interesting, availability of PowerCLI on other operating systems then Microsoft. Leave a comment on his post if you are interested…
- VMware ESXi Claimrules Unleashed by Guido Hagemann
Want to know what a claimrule is all about? Guido broke it down in a nice way. Some good stuff in there.
- Have got a couple of spare hours and want to watch some VMworld sessions, William Lam dumped everything in a long list, makes your life easier!
- Julian Wood’s VMworld Day 1, Day 2, Day 3, Day 4 series.
One of the best “personal takes” on VMworld US if you ask me. I know how much work it is to keep articles like these up to date. Some interesting thoughts, and I like how Julian included the parties, receptions but also a chat he had with PernixData’s Satyam Vaghani.
- VSAN Availability series part 1, part 2 and part 3 by Jeff Hunter
If you want to know more about VSAN and the availability aspects, this is a great series to read…