Test the integration by enabling data-at-rest encryption

These instructions are performed on a different AHV cluster, not on the one that was used in Install and configure Entrust KeyControl. We want to encrypt this AHV cluster.

The steps to use Entrust KeyControl in cluster mode and data-at-rest encryption in Nutanix:

  1. Select KeyControl as the KMIP Server and generate the certificate requests

  2. Create the KMIP client certificate bundles

  3. Add the Entrust KeyControl KMIP cluster to the Nutanix AHV cluster

  4. Add the Entrust KeyControl KMIP cluster certificates to the Nutanix AHV cluster

  5. Enable encryption

Select KeyControl as the KMIP Server and generate the certificate requests

  1. Log into the Nutanix Prism Element web UI.

  2. Select the Settings pull-down menu in the toolbar, scroll down, and select Settings again. The Gear icon in the top right of the toolbar does the same operation.

  3. Select Data-at-rest Encryption under Security on the Settings left pane. Then select Edit Configuration or Continue Configuration.

    Nutanix Setup 1 Edit Configuration

  4. Select An external KMS.

    Nutanix Setup 2 External KMS

  5. Scroll down to Certificate Signing Request Information. Fill the request form, then select Save CSR Info.

    Nutanix Setup 3 Save CSR Info

  6. Select Download CSRs. When the Certificate Signing Request form appears, select Download CSRs for all nodes.

    Nutanix Setup 4 Download for all Nodes

  7. The compressed csrs.zip file is created. Save the file locally. Extract the files. Notice that a certificate request was created for each node in the Nutanix AHV cluster.

    Nutanix Setup 5 One CR per Node

Create the KMIP client certificate bundles

  1. Log into the Entrust KeyControl vault created in section [create-keycontrol-vault].

  2. Select the Security incon, and then the Client Certificates icon.

    create certificate bundles 1

  3. Select Create a Client Certificate Now.

    create certificate bundles 2

  4. Enter the Certificate Name in the text box. Choose a name unique per a given node in the Nutanix cluster, for example the last octet of the node’s IP address as part of the name.

  5. Select Load File and choose the certificate request from section Select KeyControl as the KMIP Server and generate the certificate requests corresponding to the given node. These certificates are not .csr type. You may need to allow All file types for them to show in the file manager window. Then select Create.

    create certificate bundles 3

  6. Create certificates for the other nodes.

    create certificate bundles 4

  7. Select one of the certificates created above. Then select Download.

  8. Notice the download file name <username_datetimestamp>.zip. Unzip the file. It contains a user certification/key file called username.pem and a server certification file called cacert.pem.

    create certificate bundles 5

  9. Repeat the step above for the other certificates.

    The cacert.pem file for each node above are identical. The username.pem files are unique for each node.

Add the Entrust KeyControl KMIP cluster to the Nutanix AHV cluster

  1. Log into the Nutanix Prism Element web UI.

  2. Select the Settings icon to the right of the toolbar to bring up the Settings menu.

  3. Select Data-at-rest Encryption under Security on the Settings left pane.

  4. Select Continue Configuration. Then scroll down and select Add New Key Management Server.

  5. Enter a name for the Entrust KeyContol cluster, and the IP address of all the nodes in the cluster. The default port is 5696. Then select Save.

    nutanix certauth add kms 1

  6. Select Add New Certificate Authority further down. Name the CA, then select Upload CA Certificate, and choose one of the cacert.pem files created above. All cacert.pem files are identical. Then select Save.

    nutanix certauth add kms 2

Add the Entrust KeyControl KMIP cluster certificates to the Nutanix AHV cluster

  1. Log into the Nutanix Prism Element web UI.

  2. Select the Settings icon to the right of the toolbar to bring up the Settings menu.

  3. Select Data-at-rest Encryption under Security on the Settings left pane.

  4. Select Continue Configuration. Then scroll down to the Key Management Server section.

  5. Select the Manage Certificates hyperlink of the EntrustKeyControl cluster. This hyperlink is below Actions.

    nutanix certauth add cert 1

  6. Select Upload Files, and choose a username.pem created above, then select Submit.

    nutanix certauth add cert 2

  7. Notice the status for the node corresponding to the selected certificate displaying Uploaded. Select Test CS and the status changes to Verified.

    nutanix certauth add cert 3

  8. Repeat the above for the other nodes.

    nutanix certauth add cert 4

Enable encryption

To enable encryption:

  1. Log into the Nutanix Prism Element web UI.

  2. Select the Settings icon to the right of the toolbar to bring up the Settings menu.

  3. Select Data-at-rest Encryption under Security on the Settings left pane.

  4. Select Enable Encryption.

  5. Enter the word ENCRYPT to confirm encryption in the pop-up window. Then select Encrypt.

    nutanix certauth encrypt 1

The display confirms that the cluster is now encrypted.