Yellow Bricks

by Duncan Epping

Various

The difference between VM Encryption in vSphere 6.5 and vSAN encryption

· ·

More and more people are starting to ask me what the difference is between VMCrypt aka VM Encryption and the beta feature we announced not to long ago called vSAN Encryption. (Note, we announced a beta, no promises were made around dates or actual releases or releasing of the feature.) Both sounds very much the same and essential both end up encrypting the VM but there is a big difference in terms of how it is implemented. There are advantages and disadvantages to both solutions. Lets look at VM Encryption first.

VM Encryption is implemented through VAIO (vSphere APIs for IO Filters). The VAIO framework allows a filter driver to do “things” to/with the IO that a VM sends down to a device. One of these things is encryption. Now before I continue, take a look at this picture of where the filter driver sits.

As you can see the filter driver is implemented in the User World and the action against the IO is taken at the top level. If this for instance is encryption then any data send across the wire is already encrypted. Great in terms of security of course. And all of this can be enabled through policy. Simply create the policy, select the VM or VMDK you want to encrypt and there you go. So if it is that awesome, why vSAN Encryption?

Well the problem is that all IO is encrypted at the top level. This means that it is received in the vSAN write buffer fully encrypted, then the data at some point needs to be destaged and is deduplicated and compressed (in all-flash). As you can imagine, encrypted blocks do not dedupe (or compress) well. As such in an all-flash environment with deduplication and compression enabled any VM that has VM Encryption through VAIO enabled will not provide any space savings.

With vSAN Encryption this will be different. The way it will work is that it will provide “encryption at rest”. The data travels to the destination unencrypted then when it reaches its destination it is written encrypted to the cache tier, then it is decrypted before it is destaged, and it will be encrypted after it is deduplicated and/or compressed again. This means that you will benefit from space saving functionality, however encryption in this case is a cluster wide option, which means that every VM will be encrypted, which may not be desirable.

So in short:

  • VM Encryption (VAIO)
    • Policy based (enable per VM)
    • Data travels encrypted
    • No/near zero dedupe
  • vSAN Encryption
    • Enabled on a cluster level
    • Data travels unencrypted, but it is written encrypted to the cache layer
    • Full compatibility with vSAN data services

I hope that clarifies why we announced the beta of vSAN Encryption and what the difference is with VM Encryption that is part of vSphere 6.5.

@DuncanYB’s recommended reads part 5

· ·

What a crazy week, VMworld. Many announcements by many different vendors and of course a kazillion blog posts. I picked a few which stood out to me and which are worth reading.

  • VMworld VMare Code hackathon to hit Barcelona 2016 by Alan Renouf
    The US version of the hackathon was a big success, and I expect nothing less in EMEA to be honest. Read Alan’s article to get a feeling / idea around what it was like and make sure to sign up if you have a good idea, or want to join an existing team!
  • VMware Virtual SAN 6.2 All NVMe Flash Array with Intel® SSD P3520 Sets New Record
    I just like reading these types of posts, what can a config like this lead to. Sometimes people say ‘well how realistic is the config?’ I actually have a customer deploying this exact configuration today.
  • Dell Technologies = Facemeltingly Awesome, but shall we talk frankly? by Chad Sakac
    A lengthy post on the Dell/EMC merger by Chad. He is in the middle of it and I always enjoy reading his thoughts.
  • VMware PowerCLI for Mac OS X, Linux & More? Yes, please! by William Lam
    Quick post on something very interesting, availability of PowerCLI on other operating systems then Microsoft. Leave a comment on his post if you are interested…
  • VMware ESXi Claimrules Unleashed by Guido Hagemann
    Want to know what a claimrule is all about? Guido broke it down in a nice way. Some good stuff in there.
  • Have got a couple of spare hours and want to watch some VMworld sessions, William Lam dumped everything in a long list, makes your life easier!
  • Julian Wood’s VMworld Day 1, Day 2, Day 3, Day 4 series.
    One of the best “personal takes” on VMworld US if you ask me. I know how much work it is to keep articles like these up to date. Some interesting thoughts, and I like how Julian included the parties, receptions but also a chat he had with PernixData’s Satyam Vaghani.
  • VSAN Availability series part 1, part 2 and part 3 by Jeff Hunter
    If you want to know more about VSAN and the availability aspects, this is a great series to read…

vSpeaking Podcast: VMworld Debrief

· ·

Pete and John asked me if I wanted to join the podcast again, this week we did a VMworld US debrief. I figured I would share it with you folks as well. Hope you enjoy it as much as we did.

VMworld Europe, sign up now and register for sessions!

· ·

VMworld US is over, I’ve watched various sessions and now am starting to prep for VMworld EMEA, which will be in a month. (17-20 Oct) If you haven’t registered yet then now is the time to do so, the longer you will wait, the more expensive flights will become. If you have registered and are starting to look at the agenda then here are my 2 sessions I have scheduled this year:

  • 18/10/16 (Tuesday) 15:30 – Software-Defined Storage at VMware Primer – STO7650 – Lee Dilworth / Duncan Epping
  • 19/10/16 (Wednesday) 15:30 – A day in the life of a VSAN I/O – STO7875 – John Nicholson / Duncan Epping

And based on the sessions I have seen so far, I would also like to recommend to add the following to your schedule:

  • VMware Chief Technology Officer Panel – Trends and Futures [CTO9943] Joe Baguley, Paul Strong, Shawn Bass, Ray O’Farrell
  • vSphere 6.x Host Resource Deep Dive [INF8430] Frank Denneman / Niels Hagoort
  • Extreme Performance Series: vCenter Performance Deep Dive [INF8108] Ravi Soundararajan, Sameh Zakhary
  • Tech Preview: Enhanced VM Availability Leveraging vCenter and Partner Hardware Integration [INF8020] Maarten Wiggers
  • vSphere DRS Deep Dive: Understanding the Best Practices, Advanced Concepts, and Future Direction of DRS [INF7827] Naveen Nagaraj
  • An Industry Roadmap: From storage to data management [STO7903] Christos Karamanolis
  • The Power Hour: Deep Dive, DevOps, and New Features of PowerCLI [INF8092] Alan Renouf
  • Virtual Volumes Technical Deep Dive [STO7645] Pete Flecha / Patrick Dirks
  • Virtual SAN: Introducing the Best HCI Platform for Containers and Cloud-Native Applications [STO8256] Christian Dickmann / Rawlinson Rivera
  • Cloud Native Buzzwords (Demystified) for Dummies [CTO7964] Massimo Re Ferre’

Want to watch a VMworld 2016 session?

· ·

I had a long discussion with the VMworld team about this the past editions and I am happy to say that ALL sessions have been made available to the public straight after the event. VMware made all VMworld 2016 session available to the public. You can find them here: http://www.vmworld.com/en/sessions/2016.html. And also, if you want a more “limited” list, you can go for the top ranked sessions. You can find the top-10 session of each VMworld day here: http://www.vmworld.com/en/sessions/top-10-us.html.

There is one session I want to call out, I wasn’t able to do a live blog on it, mainly because it went deep, and it went deep fast. Ravi R. is one of the best deep tech speakers I have seen: INF8108 – Extreme Performance Series: vCenter Performance Deep Dive.

Thanks VMworld team for doing this. Time for some binge watching 🙂