Exploring VM Security: How to Identify Encrypted Virtual Disks in vSphere

I was recently looking at some virtual machines in a lab and trying to determine which had encrypted virtual disks vs. encrypted configuration folders only. This data is visible in the vSphere UI. From the VM list view we can select the ‘pick columns’ icon in the lower left near the export button (in vCenter Server 8 this is called Manage Columns) and select the checkbox for Encryption.

With this selected, we can see that 4 VMs are all encrypted.

However, if we dig a little deeper, we can see that one VM has the configuration files and the only hard disk encrypted, as shown below:

Another VM only has the first hard disk encrypted (note that Hard disk 2 does not show the word ‘Encrypted’ below the disk size).

And yet another VM only has encrypted configuration files and the hard disk is not encrypted at all.

This makes sense, as the virtual machine view does not list each virtual disk, only the VM configuration. We can encrypt only the configuration, but we can’t encrypt only a hard disk without also encrypting the configuration. This view shows that there is something going on with encryption, but for what I was looking for we’ll need to dig bit deeper.

Since I wanted to check each VMDK of each VM, that’s not something that is easily viewable in the UI without lots of clicking, so I switched over to PowerCLI. I found a blog post from a couple years back (https://blogs.vmware.com/vsphere/2016/12/powercli-for-vm-encryption.html) which mentioned a community powershell module (https://github.com/vmware/PowerCLI-Example-Scripts/tree/master/Modules/VMware.VMEncryption) to report on encryption. Browsing through the code, I saw a ‘KeyID’ property that is present on VMs and Hard Disks where the configuration is encrypted. I created a quick script to loop through all the VMs looking for either of these properties. I could have used the published module, but for this simple exercise it was easy enough to pick/choose the fields I needed.

$myResults = @()
foreach ($thisVM in Get-VM) {
  foreach ($thisVMDK in ($thisVM | Get-HardDisk) ) {
    $myResults += $thisVMDK | Select-Object @{N='VM';E={$thisVM.Name}}, @{N='ConfigEncrypted';E={ if($thisVM.extensionData.config.keyId.KeyId){'True'} }}, 
                @{N='VMDK Encrypted';E={if($_.extensionData.Backing.KeyId.KeyID){'True'} }}, @{N='Hard Disk';E={$_.Name}},
                @{N='vTPM';E={if($thisVM.ExtensionData.config.Hardware.device | ?{$_.key -eq 11000}){'True'} }}
  } # end foreach VMDK
} # end foreach VM

$myResults | Sort-Object VM | Format-Table -AutoSize

Our $myResults variable now contains a row for each virtual hard disk, showing the VM Name, whether or not the ‘Home’ configuration is encrypted, if the VMDK is encrypted, the Hard Disk Name, and if the system has a vTPM or not. By default, the output will sort all the VMs by name, and list all of the properties. However, if I needed a list of all the VMs that might have one or more encrypted VMDKs, I could use the following Where-Object filter.

$myResults | Where-Object {$_.'VMDK Encrypted' -eq 'True'} | Select-Object VM -Unique

This will result in a list of VM names, showing only two interesting VMs. The above screenshot from the UI showed four VMs with encrypted configs.

Hopefully this will be helpful if you are looking for encrypted VMs in an environment.

This entry was posted in Scripting, Virtualization. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Notify me of followup comments via e-mail. You can also subscribe without commenting.