Virtualization

VMware vSphere

5min

This document provides information about using KMIP to configure the



with VMware vSphere. For additional questions about your

device, see the relevant administrator’s guide.

What is KMIP?

The Key Management Interoperability Protocol (KMIP) is an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server. This facilitates data encryption by simplifying encryption key management. You can create keys on a server and then retrieve them, possibly wrapped by other keys. Both symmetric and asymmetric keys are supported, including the ability to sign certificates. KMIP also enables clients to ask a server to encrypt or decrypt data, without needing direct access to the key.

What is VMware vSphere?

From VMware's documentation website: VMware vSphere is VMware's virtualization platform, which transforms data centers into aggregated computing infrastructures that include CPU, storage, and networking resources. vSphere manages these infrastructures as a unified operating environment and provides you with the tools to administer the data centers that participate in that environment.

The two core components of vSphere are ESXi and vCenter Server. ESXi is the virtualization platform where you create and run virtual machines and virtual appliances. vCenter Server is the service through which you manage multiple hosts connected in a network and pool host resources.

For more general information about vSphere, see VMware's documentation site.

About VMware encryption

VMware vSphere encryption debuted in vSphere 6.5 and vSAN 6.6, enabling both virtual machine (VM) encryption and disk storage encryption. The required components are vCenter vSphere Server, a third-party Key Management Server (KMS), and ESXi hosts.

Encryption process flow

The following list includes the steps of the encryption process flow, which is essentially identical for VMs and vSAN clusters:

  1. Register the
    
    as a Standard Key Provider in the vSphere Client.
  2. Set up a domain of trust (mutual authentication) between vCenter Server and the KMS by exchanging TLS certificates between your KMS and vCenter Server to establish trust.
  3. When you perform an encryption task, for example, creating an encrypted virtual machine, vCenter Server requests a new key from the default key server. This key is used as the KEK.
  4. vCenter Server stores the key ID and passes the key to the ESXi host. If the ESXi host is part of a cluster, vCenter Server sends the KEK to each host in the cluster. The key itself is not stored on the vCenter Server system. Only the key ID is known.
  5. The ESXi host generates internal keys (DEKs) for the virtual machine and its disks. It keeps the internal keys in memory only and uses the KEKs to encrypt internal keys. Unencrypted internal keys are never stored on disk. Only encrypted data is stored. Because the KEKs come from the key server, the host continues to use the same KEKs.
  6. The ESXi host encrypts the virtual machine with the encrypted internal key. Any hosts that have the KEK and that can access the encrypted key file can perform operations on the encrypted virtual machine or disk.

Integration overview

This guide covers the following tasks:

  1. Configure TLS certificates for the KMIP port on the KMES Series 3.
  2. Register the KMES Series 3 as a standard key provider in vCenter.
  3. Configure TLS certificates for vCenter server.
  4. Create an identity and role on the KMES Series 3.
  5. Configure VM and vSAN encryption in vSphere.

The following sections show you how to perform these tasks.