How To Add a HyTrust KMS as a Key Provider in vSphere 7 on OCVS


Before starting, I want to clear up some terminology. If you are familiar with using encryption in vCenter 6.5 or 6.7, you may remember VMware used the term KMS Cluster when referring to a Key Management Server. But, for some reason, which I haven’t been able to track down, they now use the term Key Provider. I think it has something to do with the new VMware vSphere Trust Authority, but this is a guess. If someone at VMware can explain the reason, I’d love to know why.

Oracle Cloud VMware Solution

but lets talk on my Favor VMware Solution OCVS , we are going to deploy the solution on OCVS , that mean deploying vmware like on-prem or even under you desk , VMware with Full control.

Oracle Cloud VMware Solution is a fully certified and supported solution that uses Oracle Cloud Infrastructure (OCI) to host a highly available and scalable VMware software-defined data center (SDDC). A standard VMware implementation, it works with existing operational practices.

Configure Key Provider

Log in to vCenter. Then perform the following steps.

go to host and Cluster and Click on the name of your vCenter.

Click Configure –> Key Providers in the Security section

Under the “Key Provider” page click on “Add Standard Key Provider”

Enter a name for the Key Provider. This is just a reference name. It doesn’t need to match any name you use in HyTrust KeyControl.

Enter a name for the KMS Server and the IP Address or FQDN of the first KeyControl node. I normally match the name of the KMS Server to the hostname of the node I’m adding. Click the Add KMS button and add the second KeyControl node.

The certificate details for each node will be displayed.

Click the Trust button.

The newly added Key Provider will be displayed.

Click one of the KMS servers, then click Establish Trust. Select Make KMS trust vCenter.

Click KMS certificate and private key, then click Next.

This is the point in the process where the client certificate is needed.

lick the KMS Certificate Upload a File button. Navigate to the location where you unzipped the contents of the client certificate zip file. You will see two .pem files. You can ignore the cacert.pem file. Select the second .pem file and click OK.

At this point, all of the yellowish triangles from a previous step should now be green circles with checkmarks in them.

how to Configure VM Disk Encryption

After configure the KMS Solution with the Vcenter you can start using the Vsphere Storage Policy to convert the VM’s Disk to be Encryption.

you will need to find a VM that is power off , right click the VM and choose VM Policies –> edit VM Storage Policies

As you can see you can choose from your Storage Policies the VM encryption Policy, you can choose it for a single disk or for all of them.

I have only one Disk so i choose to apply the policy for all my storage.

And now after you power on the VM you can see that your drive in Encryption , and now you will need to consider which more Workload you wish to encrypt.

Leave a Reply

Your email address will not be published. Required fields are marked *