Advanced VMware vSphere Features ūü§ď Encrypted VMs

  • 15 December 2020
  • 1 comment
  • 78 views

Userlevel 7
Badge +3
  • Veeam Legend, Veeam Vanguard
  • 124 comments

Many times we wonder what happens with encrypted VMs :thinking:, here is this great explanation of Veeam 

 

:ballot_box_with_check: Backup of Encrypted VMs

 

Veeam Backup & Replication lets you back up encrypted VMs. The backup infrastructure must meet the following requirements:

  • VM encryption instances must be preconfigured in the virtual infrastructure: you must set up the key management server, create the VM encryption policy and assign it to VMs in advance.
  • The backup proxy used for backup must be working in the¬†Virtual appliance¬†transport mode or¬†Network¬†transport mode with SSL encryption enabled.
  • The backup proxy working in the¬†Virtual appliance¬†transport mode must be deployed on an encrypted VM. Ensure either that you use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys.

:ballot_box_with_check:  Replication of Encrypted VMs

Veeam Backup & Replication lets you replicate encrypted VMs. The backup infrastructure must meet the following requirements:

  • VM encryption instances must be preconfigured in the virtual infrastructure: you must set up the key management server, create the VM encryption policy and assign it to VMs in advance.
  • The backup proxy used for backup must be working in the¬†Virtual appliance¬†transport mode or¬†Network¬†transport mode with SSL encryption enabled.
  • The backup proxy working in the¬†Virtual appliance¬†transport mode must be deployed on an encrypted VM. Ensure either that you use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys.
  • You must place disks and the configuration file of the VM replica on datastores to which the VM Encryption policy is assigned. To do this, at the¬†Destination¬†step of the wizard, click¬†Datastore¬†and select a datastore under the VM Encryption Policy.

NOTE:

Multi-OS file-level restore for encrypted VM replicas is not supported.

 

:ballot_box_with_check:  Restore of Encrypted VMs

 

Veeam Backup & Replication supports restore of encrypted VMs. You have the following restore options:

  • You can back up an encrypted VM and restore it as encrypted.
  • You can back up an encrypted VM and restore is as unencrypted.
  • You can back up an unencrypted VM and restore it as encrypted.

To let Veeam Backup & Replication successfully restore an encrypted VMs, the backup infrastructure must meet the following requirements:

  • VM encryption instances must be preconfigured in the virtual infrastructure: you must set up the key management server, create the VM encryption policy and assign it to VMs in advance.
  • The backup proxy used for restore must be working in the¬†Virtual appliance¬†transport mode or¬†Network¬†transport mode with SSL encryption enabled.
  • The backup proxy working in the¬†Virtual appliance¬†transport mode must be deployed on an encrypted VM. Ensure either that you use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys.
  • You must place VM disks on datastores to which the VM Encryption policy is assigned. To do this, at the¬†Datastore¬†step of the wizard, select a VM disk, click¬†Datastore¬†and select a datastore under the VM Encryption policy.

If a VM has several disks, you can optionally restore some disks as encrypted and some disks as unencrypted. Keep in mind, however, that the VM configuration file must always be placed on a datastore to which the VM Encryption policy is assigned.

:ballot_box_with_check:  Failback of Encrypted VMs

 

During failback, Veeam Backup & Replication lets you restore a VM as encrypted. To let Veeam Backup & Replication successfully restore an encrypted VMs, the backup infrastructure must meet the following requirements:

  • VM encryption instances must be preconfigured in the virtual infrastructure: you must set up the key management server, create the VM encryption policy and assign it to VMs in advance.
  • The backup proxy used for failback must be working in the¬†Virtual appliance¬†transport mode or¬†Network¬†transport mode with SSL encryption enabled.
  • The backup proxy working in the¬†Virtual appliance¬†transport mode must be deployed on an encrypted VM. Ensure either that you use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys.
  • You must place VM disks on datastores to which the VM Encryption policy is assigned. To do this, at the¬†Datastore¬†step of the wizard, select a VM disk, click¬†Datastore¬†and select a datastore under the VM Encryption policy.

If a VM has several disks, you can optionally restore some disks as encrypted and some disks as unencrypted. Keep in mind, however, that the VM configuration file must always be placed on a datastore to which the VM Encryption policy is assigned.

                                                                       :santa:

 


1 comment

Userlevel 6
Badge +2

VMware has bragged about it since 6.5 but the implementation was buggy, I remember. Let me know if you or someone here gets a chance to test with vsphere 7.0 and Veeam 11.

Comment