Procedures

Prerequisites

  • Entrust KeyControl has been deployed and configured.

  • VMware vSphere has been deployed and configured using vCenter.

  • You have administrator rights to manage the KMS configuration in vCenter.

Create the KMS cluster in vCenter

For more detail on how to do this, see Adding a KMS Cluster in vSphere in the Entrust online documentation.

  1. Launch the vSphere Web Client and log into the vCenter server that you want to add to Entrust KeyControl.

  2. Select the required vCenter Server in the Global Inventory Lists.

  3. Select the Configure tab.

  4. In the left-hand pane, select Security > Key Providers.

  5. Select Add Standard Key Provider.

  6. In the Add Standard Key Provider dialog, set the following configuration options:

    • For Name, enter the name of the cluster.

    • For each node in the KeyControl cluster, enter the KMS (node name), IP Address and Port. The default port is 5696.

      Make sure that the KMIP server resides on a device that is not encrypted using the KeyControl cluster. The KMIP server must be available to provide the keys for the encrypted devices before the encrypted devices can be accessed.
      To add an extra node line, select Add KMS.

      vcenter addkms

    • Open and set Proxy Configuration if you are using a proxy.

    • Password protection is optional.

  7. Select Add Key Provider.

  8. In the Make vCenter Trust Key Provider dialog, confirm the details for each node and then select Trust. For example:

    vcenter trustkms

    This adds the KMS cluster to vCenter but the connection status will be KMS not connected with Certificate issues. For example:

    vcenter kmsnotconnected

Establish a trusted connection between the KMS cluster and the Entrust KeyControl server

To establish a trusted connection between the KMS cluster and the Entrust KeyControl server:

  1. Continuing from the previous section, select the KeyControl KMS cluster in the list, then scroll down to where the nodes are displayed.

  2. Select one of the nodes, then select on Establish Trust > Make KMS trust vCenter. For example:

    vcenter establishtrust

  3. In the Choose method pane of the Make KMS Trust vCenter dialog, select KMS certificate and private key.

    vcenter makekmstrust

  4. Select Next.

  5. In the Upload KMS Credentials pane of the Make KMS Trust vCenter dialog, you need to upload the certname.pem file created during the certificate creation process described in the Entrust KeyControl nShield Integration guide. This file needs to be uploaded for the KMS certificate, and then uploaded again for the private key. To do this:

    • For KMS certificate, select Upload file. Then select the certname.pem file and select Open.

    • For Private key, select Upload file. Then select the certname.pem file again and select Open.

    • Select Establish Trust.

      vcenter uploadcredentials

  6. Wait until vCenter reports that the connection status for the KMS cluster has changed to Connected. For example:

    vcenter connected

Enable Encryption for virtual machines

Enable encryption using VMware Storage Policies.

  1. Launch the vSphere Web Client and log into the vCenter server.

  2. Locate a VM that you would like to encrypt.

  3. Make sure the Power state of the VM is Powered Off.

  4. Right-click the VM for which you would like to enable encryption, and select VM Policies > Edit VM Storage Policies.

  5. Select the storage policy VM Encryption Policy and select OK.

    This will trigger a reconfiguration of the VM.

    vcenter reconfigurevm

    After the reconfiguration is complete, the disks are encrypted and the keys are managed by the configured KMS (KeyControl).

Check encryption at the VM level

  1. Launch the vSphere Web Client and log into the vCenter server.

  2. Locate a VM, and select it.

  3. In VM View, select the Summary tab.

  4. Under VM Hardware > Encryption, the status should be:

    VM configuration files are encrypted.
Hard disk is encrypted.

Check encryption by looking for the Keys in the Entrust KeyControl KMS

  1. Log into the KeyControl web user interface using the Tenant Login URL.

  2. Select the Objects tab to view a list of KMIP Objects. This will include the newly created keys. For example:

    kc kmipkeys multi

  3. Select one of the keys to display its details. For example:

    kc keyattributes multi

  4. In the main screen, select the Audit Logs tab to view the log records related to the key creation process. For example:

    kc auditlog multi

For more information on this topic, refer to Virtual Machine Encryption on the VMware documentation site.

Enable Data-At-Rest encryption on an existing vSAN cluster

To enable Data-At-Rest encryption on an existing vSAN cluster, refer to Using Encryption in a vSAN Cluster on the VMware documentation site.