From 76eadeba8a2afcafd9dc96b83e2d5bf3921b968e Mon Sep 17 00:00:00 2001 From: Jase McCarty Date: Fri, 7 Dec 2018 16:11:18 -0700 Subject: [PATCH 1/2] Initial vSAN Encryption Module vSAN Encryption Module --- Modules/VMware.VsanEncryption/README.md | 7 + .../VMware.VsanEncryption.psd1 | Bin 0 -> 5098 bytes .../VMware.VsanEncryption.psm1 | 340 ++++++++++++++++++ 3 files changed, 347 insertions(+) create mode 100644 Modules/VMware.VsanEncryption/README.md create mode 100644 Modules/VMware.VsanEncryption/VMware.VsanEncryption.psd1 create mode 100644 Modules/VMware.VsanEncryption/VMware.VsanEncryption.psm1 diff --git a/Modules/VMware.VsanEncryption/README.md b/Modules/VMware.VsanEncryption/README.md new file mode 100644 index 0000000..8037171 --- /dev/null +++ b/Modules/VMware.VsanEncryption/README.md @@ -0,0 +1,7 @@ +Prerequisites/Steps to use this module: + +1. This module only works for vSphere products that support vSAN Encryption. E.g. vSAN 6.6 and later with a vSAN Enterprise license +2. All the functions in this module only work for KMIP Servers. +3. Install the latest version of Powershell and PowerCLI(11). +4. Import this module by running: Import-Module -Name "location of this module" +5. Get-Command -Module "This module Name" to list all available functions. \ No newline at end of file diff --git a/Modules/VMware.VsanEncryption/VMware.VsanEncryption.psd1 b/Modules/VMware.VsanEncryption/VMware.VsanEncryption.psd1 new file mode 100644 index 0000000000000000000000000000000000000000..47b0ca30d0fd967f4a1e9ee3b4b69b6b61d2b73d GIT binary patch literal 5098 zcmcgwSx-|@5T57$ikt8N7}*p7O-v;02_PwmzP7iEH+Hj&)foS}`h7D!oO60xX`4z& zxyv~-^UXfz{`tKk1zC|quB0s$8AwB_cxp;XT9Qc(Pd(}5O%3Z^T?zNC$~`ED*xkj> zO+59K@&wc=-u;jcs58*EWK|`Zv@`5(;n&6PKCTsTE@Sr_TtklBJ)MGFNwFg@WJ~t( zdm-C+Iv7bR$UFIod*g7ch%!Y)4MROlw=$5nRF@w)O>0;)+mxVV57a5%c=SU&_2o0@ z_&>vrycIV`NQ$6tV_$6Zx1d;6D;eHbKJ?tc?$>y?4X>6*ekJWrfcX%(DBb+`FPju3-fM`$ zSYv#e<&VIxi8x^nP-El%O|`DfBrE1{4Ngr^Cz6-?9B(fmCxtg+1Rcok!p3#z#|&g1 zTD*}L?eDX4ng@tuoR49cw6X>i>)`6LD9*(YX##6D@RtM#8S$(FjGwO1T9rtrV_joa zupD%8?Y%||)imN#XlLssNMUBt4;|39!Pz3v)r>gf!uVSO%`~ZI1#j^yaAl-7A-@Sa z;_pJ2$tXYSZpOk8dlI?PJ5t=jTg(*NhF+@cPHINmFpo05n+^RWzLT@rYvQ9Vw(M+} znM+pjmxcFy#L?q=3fuobJsz|Fe37&%*K#6vh>ugmh1H26EY_7T3&zYbsQchr#s56d z<)Tj^tBF7BPz~T`#1C+-Lq21k{e!t|^>0m%8^~pUW-Vf;=G?*w zCDqQ%d4u(3fH%ar23rw-RaoIZq2ui7-61enaKF1S+B}ZKsVMR};VT&{3@bdVKc@=z zXx?!aU_WNBqLyxwVkNWgO)BoGqaL-fpVidr600b!)Kbq_H(`Bcy`#O1KIBcVbzSlE zjmK!6vj}NnjSHs`YC$dE!Q$%=z4lOjR0WDMuw|hCx3<)yq!S1$=<*Ry#*@b#Pm^vs zB=$9Qy$-b4(YWz`vl-dt1pUUT&Uq+R-*Ce0Vh$i5c8_Iy$xWak`W~uJ8yzgnnMt0y zLl5o%6??SJ!m+mB;lsvAXHJe5ow2`$8jsX_-pF#&XGMFeam;g!%}Gy>I7Bcj>hXNZ zXCW&Y?aq3|DqyoZE3iAgaW(Gz;VS1ydXc9W`qAhu7K@-8KbLGpCy9Kd6tvSgB;)v9 z-pq4OwCri>obT(zsdf@S7g9^JPF21`BddRmO~x@NIA)eRhk5H1&=c8{LQd4`B;sP# z_*pcOvl}o!`)dEiWFG;U=Q4}jd-$7Gxuo^cRY&I6yn5$3%_5(3KBaT2U)<&~ms#Xq zs_&S)7R&5h>|J3j6Aw>mDP|>`IM@>=pTvCxxEdJ7s+Z;>)<>RSi;;v?aDEilFHfN* zW6I0O%V%ZI&r1TTBcIQIIW``m%(#h4G8!Ji&4YLfNwJ7wLd4jd6jc&MQs*lk=4S- zD##}Iy&s(q=^1_vv1-FBpQhvBInvoke-VsanEncryptionRekey -Cluster "ClusterName" -DeepRekey $true/$false -ReducedRedundancy $true/$false + + #> + + # Set our Parameters + [CmdletBinding()]Param( + [Parameter(Mandatory = $True)][String]$Cluster, + [Parameter(Mandatory = $False)][Boolean]$DeepRekey, + [Parameter(Mandatory = $False)][Boolean]$ReducedRedundancy + ) + + # Get the Cluster + $VsanCluster = Get-Cluster -Name $Cluster + + # Get the vSAN Cluster Configuration View + $VsanVcClusterConfig = Get-VsanView -Id "VsanVcClusterConfigSystem-vsan-cluster-config-system" + + # Get Encryption State + $EncryptedVsan = $VsanVcClusterConfig.VsanClusterGetConfig($VsanCluster.ExtensionData.MoRef).DataEncryptionConfig + + # If vSAN is enabled and it is Encrypted + If($VsanCluster.vSanEnabled -And $EncryptedVsan.EncryptionEnabled){ + + # Get a count of hosts to guarantee reduced redundancy for 2 and 3 node clusters + $HostCount = $VsanCluster | Select @{n="count";e={($_ | Get-VMHost).Count}} + + # If reduced redundancy is specified, or there are less than 4 hosts, force reduced redundancy + If (($ReducedRedundancy -eq $true) -or ($HostCount.Value -lt 4)) { + + } + # Determine Rekey Type for messaging + Switch ($DeepRekey) { + $true { $ReKeyType = "deep"} + default { $ReKeyType = "shallow"} + } + + # Determine Reduced Redundancy for messaging + Switch ($ReducedRedundancy) { + $true { $RRMessage = "with reduced redundancy"} + default { $RRMessage = ""} + } + + # Echo task being performed + Write-Host "Executing $ReKeyType rekey of vSAN Cluster $VsanCluster $RRMessage" + + # Execute the rekeying task + $ReKeyTask = $VsanVcClusterConfig.VsanEncryptedClusterRekey_Task($VsanCluster.ExtensionData.MoRef,$DeepRekey,$ReducedRedundancy) + } +} + +Function Set-VsanEncryptionKms { + <# + .SYNOPSIS + This function will set the KMS to be used with vSAN Encryption + + .DESCRIPTION + This function will set the KMS to be used with vSAN Encryption + + .PARAMETER Cluster + Specifies the Cluster to set the KMS server for + + .PARAMETER KmsCluster + Use to set the KMS Cluster to be used with vSAN Encryption + + .EXAMPLE + C:\PS>Set-VsanEncryptionKms -Cluster "ClusterName" -KmsCluster "vCenter KMS Cluster Entry" + + #> + + # Set our Parameters + [CmdletBinding()]Param( + [Parameter(Mandatory = $True)][String]$Cluster, + [Parameter(Mandatory = $False)][String]$KmsCluster + ) + + # Get the Cluster + $VsanCluster = Get-Cluster -Name $Cluster + + # Get the list of KMS Servers that are included + $KmsClusterList = Get-KmsCluster + + # Was a KMS Cluster Specified? + # Specified: Is it in the list? + # Is it not in the list? + # Not Specified: Present a list + If ($KmsCluster) { + If ($KmsClusterList.Name.Contains($KmsCluster)) { + Write-Host "$KmsCluster In the list, proceeding" -ForegroundColor Green + $KmsClusterProfile = $KmsClusterList | Where-Object {$_.Name -eq $KmsCluster} + } else { + + $Count = 0 + Foreach ($KmsClusterItem in $KmsClusterList) { + Write-Host "$Count) $KmsClusterItem " + $Count = $Count + 1 + } + $KmsClusterEntry = Read-Host -Prompt "$KmsCluster is not valid, please select one of the existing KMS Clusters to use" + Write-Host $KmsClusterList[$KmsClusterEntry] + $KmsClusterProfile = $KmsClusterList[$KmsClusterEntry] + } + } else { + + $Count = 0 + Foreach ($KmsClusterItem in $KmsClusterList) { + Write-Host "$Count) $KmsClusterItem " + $Count = $Count + 1 + } + $KmsClusterEntry = Read-Host -Prompt "No KMS provided, please select one of the existing KMS Clusters to use" + Write-Host $KmsClusterList[$KmsClusterEntry] + $KmsClusterProfile = $KmsClusterList[$KmsClusterEntry] + } + + # Get the vSAN Cluster Configuration View + $VsanVcClusterConfig = Get-VsanView -Id "VsanVcClusterConfigSystem-vsan-cluster-config-system" + + # Get Encryption State + $EncryptedVsan = $VsanVcClusterConfig.VsanClusterGetConfig($VsanCluster.ExtensionData.MoRef).DataEncryptionConfig + + # If vSAN is enabled and it is Encrypted + If($VsanCluster.vSanEnabled -And $EncryptedVsan.EncryptionEnabled){ + + If ($EncryptedVsan.KmsProviderId.Id -eq $KmsClusterProfile.Name) { + # If the Specified KMS Profile is the KMS Profile being used, then don't do anything + Write-Host $EncryptedVsan.KmsProviderId.Id "is already the assigned KMS Cluster Profile, exiting" + } else { + Write-Host "Changing the KMS Profile to $KmsClusterProfile on Cluster $VsanCluster" + + # Setup the KMS Provider Id Specification + $KmsProviderIdSpec = New-Object VMware.Vim.KeyProviderId + $KmsProviderIdSpec.Id = $KmsClusterProfile.Name + + # Setup the Data Encryption Configuration Specification + $DataEncryptionConfigSpec = New-Object VMware.Vsan.Views.VsanDataEncryptionConfig + $DataEncryptionConfigSpec.KmsProviderId = $KmsProviderIdSpec + $DataEncryptionConfigSpec.EncryptionEnabled = $true + + # Set the Reconfigure Specification to use the Data Encryption Configuration Spec + $vsanReconfigSpec = New-Object VMware.Vsan.Views.VimVsanReconfigSpec + $vsanReconfigSpec.DataEncryptionConfig = $DataEncryptionConfigSpec + + # Execute the task of changing the KMS Cluster Profile Being Used + $ChangeKmsTask = $VsanVcClusterConfig.VsanClusterReconfig($VsanCluster.ExtensionData.MoRef,$vsanReconfigSpec) + } + + } + } + + Function Get-VsanEncryptionKms { + <# + .SYNOPSIS + This function will set the KMS to be used with vSAN Encryption + + .DESCRIPTION + This function will set the KMS to be used with vSAN Encryption + + .PARAMETER Cluster + Specifies the Cluster to set the KMS server for + + .EXAMPLE + C:\PS>Get-VsanEncryptionKms -Cluster "ClusterName" + #> + + # Set our Parameters + [CmdletBinding()]Param([Parameter(Mandatory = $True)][String]$Cluster) + + # Get the Cluster + $VsanCluster = Get-Cluster -Name $Cluster + + # Get the vSAN Cluster Configuration View + $VsanVcClusterConfig = Get-VsanView -Id "VsanVcClusterConfigSystem-vsan-cluster-config-system" + + # Get Encryption State + $EncryptedVsan = $VsanVcClusterConfig.VsanClusterGetConfig($VsanCluster.ExtensionData.MoRef).DataEncryptionConfig + + # If vSAN is enabled and it is Encrypted + If($VsanCluster.vSanEnabled -And $EncryptedVsan.EncryptionEnabled){ + + $EncryptedVsan.KmsProviderId.Id + } +} + +Function Set-VsanEncryptionDiskWiping { + <# + .SYNOPSIS + This function will update the Disk Wiping option in vSAN Encryption + + .DESCRIPTION + This function will update the Disk Wiping option in vSAN Encryption + + .PARAMETER Cluster + Specifies the Cluster set the Disk Wiping Setting on + + .PARAMETER DiskWiping + Use to set the Disk Wiping setting for vSAN Encryption + + .EXAMPLE + C:\PS>Set-VsanEncryptionDiskWiping -Cluster "ClusterName" -DiskWiping $true + + .EXAMPLE + C:\PS>Set-VsanEncryptionDiskWiping -Cluster "ClusterName" -DiskWiping $false + + #> + + # Set our Parameters + [CmdletBinding()]Param( + [Parameter(Mandatory = $True)][String]$Cluster, + [Parameter(Mandatory = $True)][Boolean]$DiskWiping + ) + + # Get the Cluster + $VsanCluster = Get-Cluster -Name $Cluster + + # Get the vSAN Cluster Configuration View + $VsanVcClusterConfig = Get-VsanView -Id "VsanVcClusterConfigSystem-vsan-cluster-config-system" + + # Get Encryption State + $EncryptedVsan = $VsanVcClusterConfig.VsanClusterGetConfig($VsanCluster.ExtensionData.MoRef).DataEncryptionConfig + + # If vSAN is enabled and it is Encrypted + If($VsanCluster.vSanEnabled -And $EncryptedVsan.EncryptionEnabled){ + + # Determine Rekey Type for messaging + Switch ($DiskWiping) { + $true { $DiskWipingSetting = "enabled" } + default { $DiskWipingSetting = "disabled" } + } + + # Check to see the current Disk Wiping value + If ($DiskWiping -eq $EncryptedVsan.EraseDisksBeforeUse) { + Write-Host "Disk Wiping is already $DiskWipingSetting" -ForegroundColor "Green" + Write-Host "No action necessary" -ForegroundColor "Green" + + } else { + + Write-Host "Disk Wiping is not set to $DiskWipingSetting" -ForegroundColor "Yellow" + Write-Host "Changing Disk Wiping setting on Cluster $VsanCluster" -ForegroundColor "Blue" + + # Setup the Data Encryption Configuration Specification + $DataEncryptionConfigSpec = New-Object VMware.Vsan.Views.VsanDataEncryptionConfig + $DataEncryptionConfigSpec.EncryptionEnabled = $true + $DataEncryptionConfigSpec.EraseDisksBeforeUse = $DiskWiping + + # Set the Reconfigure Specification to use the Data Encryption Configuration Spec + $vsanReconfigSpec = New-Object VMware.Vsan.Views.VimVsanReconfigSpec + $vsanReconfigSpec.DataEncryptionConfig = $DataEncryptionConfigSpec + + # Execute the task of changing the KMS Cluster Profile Being Used + $VsanVcClusterConfig.VsanClusterReconfig($VsanCluster.ExtensionData.MoRef,$vsanReconfigSpec) + + } + } +} + +Function Get-VsanEncryptionDiskWiping { + <# + .SYNOPSIS + This function will retrieve the Disk Wiping option setting in vSAN Encryption + + .DESCRIPTION + This function will retrieve the Disk Wiping option setting in vSAN Encryption + + .PARAMETER Cluster + Specifies the Cluster set the Disk Wiping Setting on + + .EXAMPLE + C:\PS>Get-VsanEncryptionDiskWiping -Cluster "ClusterName" + + #> + + # Set our Parameters + [CmdletBinding()]Param([Parameter(Mandatory = $True)][String]$Cluster) + + # Get the Cluster + $VsanCluster = Get-Cluster -Name $Cluster + + # Get the vSAN Cluster Configuration View + $VsanVcClusterConfig = Get-VsanView -Id "VsanVcClusterConfigSystem-vsan-cluster-config-system" + + # Get Encryption State + $EncryptedVsan = $VsanVcClusterConfig.VsanClusterGetConfig($VsanCluster.ExtensionData.MoRef).DataEncryptionConfig + + # If vSAN is enabled and it is Encrypted + If($VsanCluster.vSanEnabled -And $EncryptedVsan.EncryptionEnabled){ + + $EncryptedVsan.EraseDisksBeforeUse + } +} + + + +# Export Function for vSAN Rekeying +Export-ModuleMember -Function Invoke-VsanEncryptionRekey +Export-ModuleMember -Function Set-VsanEncryptionKms +Export-ModuleMember -Function Get-VsanEncryptionKms +Export-ModuleMember -Function Set-VsanEncryptionDiskWiping +Export-ModuleMember -Function Get-VsanEncryptionDiskWiping \ No newline at end of file From 82c7889cec7c140eae66d9f0f16cbf8776286680 Mon Sep 17 00:00:00 2001 From: Jase McCarty Date: Mon, 10 Dec 2018 13:36:22 -0700 Subject: [PATCH 2/2] Initial Push This is an initial push to PowerCLI-Example-Tools --- Modules/VMware.VsanEncryption/VMware.VsanEncryption.psm1 | 1 + 1 file changed, 1 insertion(+) diff --git a/Modules/VMware.VsanEncryption/VMware.VsanEncryption.psm1 b/Modules/VMware.VsanEncryption/VMware.VsanEncryption.psm1 index e45ab91..870bd44 100644 --- a/Modules/VMware.VsanEncryption/VMware.VsanEncryption.psm1 +++ b/Modules/VMware.VsanEncryption/VMware.VsanEncryption.psm1 @@ -326,6 +326,7 @@ Function Get-VsanEncryptionDiskWiping { # If vSAN is enabled and it is Encrypted If($VsanCluster.vSanEnabled -And $EncryptedVsan.EncryptionEnabled){ + # Change the setting $EncryptedVsan.EraseDisksBeforeUse } }