In the last blog post in the VMware or Beginners, we discussed vSphere Key Provider, and in this one, we will discuss what vSphere Trust Authority is.
vSphere Trust Authority is a highly complex process, and it will be hard to talk about all of vSphere’s encryption and security in simple blog posts. So, I will try to keep it easy and explain what it is, how it works, and how to use it.
What is vSphere Trust Authority?
VMware’s vSphere has a security tool called “vSphere Trust Authority” that helps keep your virtual environment safe from unwanted access and changes. The system authenticates ESXi and vCenter Server systems using hardware and software security methods to do this.
vSphere Trust Authority (vTA) is a new feature in VMware vSphere 7.0 meant to improve a vSphere system’s security. It gives vSphere infrastructure components a way to build trust with each other and make sure they work in a known and proven state.
A Trusted Platform Module (TPM) chip is used by vSphere Trust Authority to store secure keys and information about the software running on an ESXi host. The TPM chip checks the software on an ESXi server when it starts up. The system then sends this data to the vCenter Server, which checks it against a known good figure. If the reading is correct, the ESXi host is thought to be reliable.
A key provider is also used by the vSphere Trust Authority to handle the encryption keys that are used to protect virtual machines and data. A hardware security module (HSM) or a software-based key manager can be the key provider. Encryption keys are made, stored, and changed by the key provider.
vSphere Trust Authority is a strong security tool that can help protect your virtual environment from unauthorized access and changes. But it’s important to remember that vSphere Trust Authority is not a magic bullet. To keep your virtual world safe, you must use other security measures, such as strong passwords and network protection.
Some of the reasons to use vSphere Trust Authority are:
- Increased security: By checking the identities of ESXi servers and vCenter Server systems, vSphere Trust Authority helps protect your virtual environment from unwanted access and changes
- Better compliance: PCI DSS and HIPAA compliance standards can be met with the help of vSphere Trust Authority
- Reduced operational overhead: By handling some security tasks, vSphere Trust Authority can help reduce the operational overhead of controlling your virtual environment
How does the vSphere Trust Authority work?
vSphere Trust Authority uses hardware and software security features to verify the identity of ESXi hosts and vCenter Server systems. The following are the main components of vSphere Trust Authority:
- Trusted Platform Module (TPM): The TPM is a chip that is installed on the ESXi host. The TPM chip stores cryptographic keys and measurements of the software that is running on the ESXi host
- Attestation Service: The Attestation Service is a software service that runs on the vCenter Server system. The Attestation Service is responsible for verifying the measurements that are sent from the TPM chip
- Key Provider: The Key Provider is a software service that manages the encryption keys that are used to protect virtual machines and data. The Key Provider can be a hardware security module (HSM) or a software-based key manager
Here, in a complete vSphere Trust Authority Workflow, we can understand how the workflow works.
Image Source: VMware
The process of vSphere Trust Authority Services may seem complex. It plays a role in ensuring the security of your virtual environment. By verifying the identity of ESXi hosts and vCenter Server systems, vSphere Trust Authority offers protection against access and tampering of your data.
Here are some important points to remember about the workflow associated with vSphere Trust Authority Services;
You have the flexibility to customize the workflow according to your environment requirements.
- For instance, you can store encryption keys in a hardware security module (HSM)
- To streamline the management of vSphere Trust Authority you can automate the workflow using vSphere automation tools. This helps reduce overhead
- VMware is consistently enhancing and adding features to improve the workflow on a regular basis
In the next image, in a more simple way, we can see how the vSphere Trust Authority Services workflow works.
Most information about how vSphere Trust Authority is set up and its state is sent through vCenter Server. Most of the setup and state information for vSphere Trust Authority is kept in the ConfigStore database on the ESXi hosts. Some information about the state is also kept in the vCenter Server database.
Key providers and key servers work together to manage encryption keys. Key providers are software applications that generate, store, and manage encryption keys. Key servers are centralized systems that store encryption keys and make them available to key providers.
Key providers typically work with key servers in the following way:
- The key provider generates a new encryption key
- The key provider sends the new encryption key to the key server
- The key server stores the new encryption key
- The key provider can then use the encryption key to encrypt data
Key providers can also use key servers to retrieve encryption keys already stored on the key server. This can be useful if the key provider needs to access an encryption key that is not currently stored on the key provider’s local system.
Key servers can be used to store a variety of encryption keys, including:
- Symmetric encryption keys: Symmetric encryption keys are used to encrypt data using the same key for both encryption and decryption
- Asymmetric encryption keys: Asymmetric encryption keys are used to encrypt data using one key and decrypt it using another key
- Digital signature keys: Digital signature keys are used to create digital signatures, which can be used to verify the authenticity of data
When a new trusted key source is added, the administrator of the Trust Authority must name the key server and a key identifier that already exists on that key server.
The image below shows how the Key Provider Service and key servers work together.
What are the pros and cons of vSphere Trust Authority?
Pros
- Improved Security: vTA makes the vSphere system much more secure by setting up a hardware base of trust and ensuring that ESXi hosts work in a verified state
- Simplified Key Management: With vTA, only the hosts of the Trust Authority need to connect to the Key Management Server (KMS). This makes it easier to manage and change encryption keys
- Separation of Duties: vTA allows for a clear distinction between vSphere administrators and security administrators, ensuring that regular administrators cannot tamper with security configurations
- Centralized Attestation: vTA makes it easier to handle and keep track of the trust state of various ESXi hosts by putting trust attestation in one place
- Improved Auditability: vTA’s detailed logs and audit trails make it easier for organizations to monitor security standards and laws, ensure they are being followed, and show that they are
- Integration with Hardware Security: vTA builds trust from the hardware layer by using security features like TPM 2.0 built into the hardware
Cons
- Hardware Requirements: Certain hardware features, like TPM 2.0, are needed to fully use vTA. Some organizations might have to change their tools because of this.
- Complexity: vTA makes the vSphere system more secure but adds another layer of complexity. Organizations need to spend time learning about, setting up, and running vTA
- Only works with vSphere versions 7.0 and later. Organizations with older versions of vSphere would have to upgrade to use vTA
- Possible Single Point of Failure: The vTA hosts could become a single point of failure if they are not set up with backups. Verifying new hosts or handling crypto keys could make it difficult if they go down
- Learning Curve: Teams that don’t know much about hardware-based security and trust attestation may have to go through a learning curve to get used to vTA
- Operational Overhead: vTA makes some parts of security easier and adds new routines and processes that teams need to handle
With the vTA pros and cons, we finish the first part of What is vSphere Trust Authority. In the second part, we will learn how to implement and use vSphere Trust Authority in your vSphere environment.
Read More:
VMware for Beginners – What is vSphere Key Provider : Part 16