Encrypting workloads helps organizations to ensure their data is protected, even if the data falls into the wrong hands. One of the challenges of workload encryption is to scale the management of tens of thousands of encryption keys, for workloads that may even be hosted on different platforms.
For enabling vSphere VM encryption and managing lots of encryption keys vSphere wants a Key Management Server (KMS) to be added to the environment. In this blog post I will explain and setup a HyTrust KeyControl 5.3 server, which embodies a KMS server, and connect that with a VMware vSphere 6.7 and 7.X environment. You set up a trusted connection between vCenter Server and a Key Management Server (KMS).
Oracle Cloud VMware Solution
but lets talk on my Favor VMware Solution OCVS , we are going to deploy the solution on OCVS , that mean deploying vmware like on-prem or even under you desk , VMware with Full control.
Oracle Cloud VMware Solution is a fully certified and supported solution that uses Oracle Cloud Infrastructure (OCI) to host a highly available and scalable VMware software-defined data center (SDDC). A standard VMware implementation, it works with existing operational practices.
System Resource Recommendations
HyTrust recommends that the following system resources be available based on the size of your installation. If your system does not meet these requirements, the installation may fail or you may encounter performance issues.
KeyControl Network Requirements
All KeyControl IP addresses must use IPv4. KeyControl does not support IPv6 addresses.
For KeyControl to KeyControl and Policy Agent to KeyControl, the following ports need to be open:
Internal protocol – TCP/443 (HTTPS) must be open between the KeyControl nodes in the cluster to support the
rolling upgrade feature introduced in version 4.2.1. The KeyControl nodes must also be able to communicate on TCP/8443. If you have a firewall between one or more nodes, you need to make sure that these ports are open. In addition, KeyControl uses the IP address 169.254.119.1 for internal communication. This IP address must be reserved for KeyControl.
KeyControl webGUI – Inbound TCP/443 to administrator systems from any KeyControl server in the cluster.
TCP/80 (HTTP) also needs to be open. All requests made to this port are redirected to TCP/443 so that they use
KeyControl support-level access – Inbound TCP/22 from administrator systems to any KeyControl server in the
Policy Agent to KeyControl — Inbound TCP/443 from the Policy Agent to each of the KeyControl nodes in the
For KeyControl infrastructure services, the following ports need to be open:
- DNS — Outbound UDP/53
- SMTP — Outbound mail server, typically TCP/25
- SYSLOG — An outbound UDP between 25 and 65535 if you want to use a remote syslog server. KeyControl does not currently support TCP for syslog.
- Backup and Restore via NFS — If you want to access the KeyControl-generated backup files via NFS, you need to open the following ports: Inbound TCP and UDP/111 (portmapper), 2046 (lockd), 2047 (rpc statd), 2048 (rcp mountd), and 2049 (default NFS port).
- NTP — Outbound NTP servers, typically UDP/123 or TCP/123
- Automatic Vitals Reporting — If you enable Automatic Vitals Reporting, KeyControl must be able to send the encrypted Vitals bundle outbound to https://vitals.hytrust.com via TCP/443.
To operate a KeyControl cluster in your data center or private cloud, all VMs that operate in a public cloud and all HyTrust DataControl Policy Agents in the system must be able to communicate with all KeyControl nodes in the cluster.
For example, the following diagram shows a cluster of two KeyControl nodes. The first has an IP address of 10.238.32.90. Port 6888 is externally facing in the firewall and is mapped back to this KeyControl node. The second node has an IP address of 10.238.32.91, and the externally facing port 6889 as been mapped back to this node.
Download the HyTrust key control OVA Package
From the HyTrust website download the OVA package (60-Day Trial) available here. A zip file with multiple files will be downloaded.
Note: make sure you know the IP address and any other required network connection information, such as the domain name and the DNS and gateway IP addresses for the machine which you are going to deploy as KMS server.
Deployment of HyTrust key control OVA
Log in to the Virtual Center Appliance (VCSA). Once logged in, right-click and select Deploy OVF Template
Click on Upload Files and navigate to the directory where you placed the HyTrust KeyControl OVA, select it, then click Open.
The OVA Zip contain 4 files , please choose the OVA
Now that you have the HyTrust KeyControl OVA selected, click on Next.
Provide a name for the HyTrust KeyControl appliance, select a deployment location, then click Next.
Select the vSphere Cluster or host, then click Next.
Review the details, then click Next.
Accept the license agreement, then click Next.
Select the proper configuration from the list, then click Next.
you can Select the appropriate storage and disk format for the appliance, then click Next.
Select the appropriate network, then click Next.
Provide the required information, then click Next.
Review the summary screen. If everything is correct, click Finish.
You have successfully deployed the first HyTrust KeyControl node.
After powering KeyControl VM, open a remote console.
Set the password for the system administrator account, htadmin on the appliance. Using the Tab key, move to OK and press Enter on your keyboard.
NOTE: This password controls access to the HyTrust KeyControl System Console, allowing users to perform some privileged KeyControl administration tasks.
After pressing OK, the networking and other subsystems are configured. This can take several minutes. So, be patient.
This will be our first KeyControl Node. We will select “Install Initial KeyControl Node”. System Setup will appear and start configuring the network settings, DNS, NTP, etc.
After setup has completed, a window will display the management IP address of the appliance. Please make a note of the management IP address because you will need it in the next step. Tab to OK and press Enter on your keyboard.
Launch a web browser and navigate to the IP Address or fully-qualified domain name (FQDN) of the management IP address of the appliance. Use the following credentials to log in:
- User Name: secroot
- Password: secroot
Upon logging in, read and accept the EULA by clicking on, I Agree at the bottom of the agreement.
Since this is the first KeyControl node, click Continue as a Standalone Node.
Configure E-Mail and Mail Server Settings by entering the relevant information for your email address and email server.
If you do decide to skip this step, you can configure email notifications at a later time.
This is a crucial step. Please, please, please click the Download button. Read through the entire text in this dialog. I want to stress that if you do not download the Admin key and for whatever reason you need to do some sort of recovery of the appliance, you MUST have this key. Otherwise, as the text states, you may lose access to your encryption keys.
If you are running a trial of KeyControl Vitals, reporting cannot be disabled. Otherwise, you can disable Vitals after you apply a purchased license. Vitals is a good thing. Trust me. Click Continue.
After clicking the Continue button, the main WebGUI is displayed. You have successfully finished configuring the first node of the cluster.
the console include lots of options, we will focus only on the steps needed for completing the KMS solution but remember that HyTrust provide lots of option within there solution.
You may have noticed by now two alerts have been triggered in the KeyControl WebGUI after login with the “secroot” for the first time. KeyControl is warning you that Admin Key has been generated for “secroot”. It is recommend you backup the Admin Key. This key is required if you ever need to restore KeyControl from a backup.
Go to Settings and click Download Key
Before we can begin, we need to enable and configure KMIP on the KeyControl. Key Management Interoperability Protocol (KMIP) is a protocol designed to allow interoperability between encryption and key management systems. Starting in vSphere 6.5, VMware announced vSphere Encryption and HyTrust was among one of the vendors to start supporting vSphere Encryption.
- Log into KeyControl WebGUI and select KMIP.
- Configure the following options:
- State = Enabled
- Protocol = Version 1.1
Log into KeyControl webGUI and go to KMIP tab. Inside the KMIP tab, select “Client Certificates” and use the actions drop down menu to create a new certificate.
In the “Create a new Client Certificate” configure the following:
- Certificate Name = KMIPvSphere
- Set Certificate Expiration Date
- Upload CSR that was downloaded from vCenter
- DO NOT CONFIGURE A PASSWORD
Press “Create” to finish
To select the new certificate we just created, use the actions drop down menu to download the certificate.
Note: A zip will be downloaded. Make sure to extract the zip in order to upload the certificate to vCenter later.
in my next blog i will show you how simple it is to configure the KMS services with Vcenter and VSAN.