Deploying a new HyTrust KMS on vSphere 6.5
Many regular readers will be aware of new encryption features added recently to VMware’s portfolio, such as vSANĀ data-at-reset encryption and vSphere VM encryption in vSphere 6.5. I had to return to a configuration task that I hadn’t done in a while, which was the deployment of a new Key Management Server (KMS) on my vSphere 6.5 / vSAN 6.6.1 setup. I had done this a few times before, but it has been a while and I’d forgotten what exactly I’d needed to do, so I decided to document the steps in this post for future reference. Those of you who have looked at encryption on vSphere 6.5, whether for the VM encryption feature or for vSAN encryption, will be aware that there are different steps to take depending in the KMS that you choose. In this example, I’m using a KMS from HyTrust. If you use a different product, the steps may vary slightly, especially the certification/trust step.
After the initial OVA deployment of the HyTrust appliance, and doing the necessary password setup steps in the console, you are directed to the web-based HyTrust UI. Once you pointed your browser at the correct URL, successfully logged in (I used “secroot”), and once again changed the “secroot” password, you are met with the following landing page.
The next setup step is to enable the KMIP Server (it is disabled by default). Click on the “Settings” icon in the admin banner at the top of the page, and it will take you to this “Basic” view below, where we can see that the state of the KMIP Server is currently disabled.
Click on the DISABLED hyperlink, then click on the check box to enable it. Next, click on Apply.
The state of the service should now change to ENABLED. Also not the port number (5696) as you will need this later when we add the KMS to vCenter.
The next step is to create a “user” that will be used to establish trust between vCenter and the KMS, as this is the mechanism that HyTrust uses to authenticate/gain trust. In the Users tab (next to Basic under Settings). Do not add a password for the user, as this makes the setup easier. If you wish to use a password, refer to the HyTrust documentation for additional details. As per VMware KB 2147566, some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password.
Once the user has been created, again from the drop-down Actions menu, select the Download Certificate option. This creates downloads the certificate and private key (as a zip file) to your desktop. You will need this to establish authentication when adding the KMS to vCenter.
Once the certificate has been downloaded and extracted, there should be two .pem files. The vcenter.pem (or whatever your username is) is the one you need, not the cacert.pem.
If you open the <username>.pem file, you will be able to see the certificate and the private key. You will need those two pieces of information for the remaining steps of adding the KMS to vCenter.
At this point, we logon to our vCenter Server. Navigate to the vCenter > Configure > Key Management Servers and click on the icon (green +) to add a new KMS. Fill in the necessary fields, including Server address and Server port (5696 for HyTrust). Note that you do not add the username created previously on the HyTrust Admin Portal – leave this blank. If you add the username here, the trust seems to get established, but you won’t be able to retrieve any keys from the KMS server (which was an issue that I encountered).
You will be prompted to make this the default KMS. If you have only one KMS, answer Yes. If you have other KMS, and you do not want this new KMS to be the default, click No. At this point, the KMS has been added but it will not trust us. For trust to be established, we need to use the certificate and key information downloaded from the KMS user in a previous step.
Click on the link to “Establish trust with KMS…” This will pop up a wizard to select the appropriate type of certificate to establish trust. Different KMIP servers have different methods for this. HyTrust uses the certificate and private key, the last option in the list.
Now take the certificate and key from the <username>.pem file downloaded previously and paste it into the appropriate sections of the wizard, as shown below:
And now the KMS trusts vCenter:
At this point, we can now go ahead an begin using storage policies that include VM encryption, or indeed we can go ahead and enable encryption for vSAN. Since we set this to be a default KMS, it is automatically populate in the KMS cluster field in the Edit vSAN settings wizards:
Happy encrypting!
Great post! I am using the HyTrust KMS servers for my HOL-1811-04-SDC vSphere Security lab that will be available in the Hands On Labs at VMworld this year. I have the users go theough the same steps of adding the KMS to vCenter and then encrypt/decrypt VMs using UI as well as PowerCLI.
Tim