VM Encryption Overview
Encrypting your Virtual Machine for additional security and peace of mind
DSM's cloud solution allows you to encrypt your VMs or individual disks to ensure you're meeting those stringent compliance requirements you may face. These are some benefits of this optional feature provided with the DSM cloud.
- When encrypting a VM, the disk files, snapshots, swap files, and dumps are all protected.
- DSM host servers support AES-NI instructions to accelerate encryption and decryption operations.
- VMware encrypts and decrypts according to NIST-validation (FIPS-197). It also manages encryption keys according to NIST guidelines (FIPS 140-2).
While the Encryption service is designed to be self-service, there are some key things to consider when interacting with it. If there is ever any doubt, we encourage to reach out to our Support team for assistance.
Guest customization is not possible once a VM is encrypted. If you need to perform any guest customization this should be done prior to encrypting the VM.
- IP/Network changes require guest customization to push IP mode or any other customization parameter
Disk encryption requires VM home encryption.
- In the Tenant UI, you must change both the general VM storage policy and the system disk during the initial encryption process
What you can do:
- You can create additional disks using either encrypted or non-encrypted policies
- You can delete secondary encrypted disks
- You can delete an encrypted VM
- You can create snapshots of a powered off encrypted VM
- You can remove snapshots of a powered off encrypted VM
- You can revert to a snapshot of powered off encrypted VM
- You can revert to a snapshot while the encrypted VM is powered on (snapshot state will be powered off, forcing the VM to this previous state)
Things to note:
- You cannot create a snapshot of a powered on encrypted VM
- OVF Export is not supported for an encrypted VM
- New VMs must be deployed unencrypted and then encrypted after the deployment process is complete
- You may see a key encryption bundle error message in the UI when decrypting a VM. The error has no impact on the process and will be decrypted.