Introduction

Entrust KeyControl has been rebranded as the Entrust Cryptographic Security Platform (CSP) Key Manager.

The Entrust CSP Key Manager continues to provide a comprehensive solution for discovering and managing the lifecycles of cryptographic keys, secrets, certificates, tokens, libraries, protocols, and configurations:

  • The KeyControl Compliance Manager is now the Entrust CSP Compliance Manager. It still integrates with Entrust nShield Hardware Security Modules (HSMs) to protect the master keys for the CSP.

  • KeyControl Vault is now the Entrust Cryptographic Security Platform Vault. The Cryptographic Security Platform Vaults also still integrate with Entrust nShield HSMs to provide an optional HSM root of trust.

Because the Entrust integrations are tested against specific product versions, this guide is still branded as a "KeyControl" integration. It was tested against a pre-CSP version of KeyControl.

Exercise caution when using an Entrust Integration Guide with a product version that does not match the tested version, because your version might not function in exactly the same way.

Entrust cannot guarantee the success of integrations in configurations other than those indicated in the guide. This guide remains on the website for customers using pre-CSP versions of KeyControl.

This guide describes the integration of VMware Trust Authority with the Entrust KeyControl Key Management Solution (KMS). Entrust KeyControl can serve as a KMS in vCenter using the open standard Key Management Interoperability Protocol (KMIP).

The process starts by configuring vSphere Trust Authority services to attest your ESXi hosts, which then become capable of performing trusted cryptographic operations.

Also refer to the following document in the VMware online documentation:

  • How vSphere Trust Authority protects your environment.

Documents to read first

This guide describes how to configure the Entrust KeyControl server as a KMS in vCenter.

To install and configure the Entrust KeyControl server as a KMIP server, see the Entrust KeyControl nShield HSM Integration Guide. You can access it from the Entrust Document Library and from the nShield Product Documentation website.

Also refer to the following documents in the VMware online documentation:

  • Using Encryption in a vSAN Cluster.

  • Virtual Machine Encryption.

Requirements for vSphere Trust Authority

To use vSphere Trust Authority, your vSphere environment must meet these requirements:

  • ESXi Trusted Host hardware requirements:

    • TPM 2.0

    • Secure boot must be enabled

    • EFI firmware

  • Component requirements:

    • vCenter Server 7.0 or later

    • A dedicated vCenter Server system for the vSphere Trust Authority Cluster and ESXi hosts

    • A separate vCenter Server system for the Trusted Cluster and ESXi Trusted Hosts

    • Entrust KeyControl that has been deployed and configured. This will be the key server (called a Key Management Server, or KMS).

  • Virtual machine requirements:

    • EFI firmware

    • Secure Boot Enabled

For more information see the VMWare Documentation on Prerequisites and Required Privileges for vSphere Trust Authority.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Product configuration

Product Version

KeyControl

5.5

vCenter Server

7.0.1 Build: 16858589

ESXi

ESXi-7.0U3c-19193900-standard