How to connect vCenter with external KMS

NOTE: For example here I choose Vault Enterprise KMIP as a default Key Provider for VM encryption, vSAN encryption and Host Attestation

Prerequisites:

Create a KMIP client in vault (only a vCenter server is client)

  1. Login to Vault Enterprise
  2. Navigate to Secret → KMIP → vmware
  1. Select “Create Role”. Use vCenter server name as role name and setup as follows:
  1. Save new role

Generate credentials for new role/vCenter client

  1. Select generate credentials.
  2. Select PEM format.
  3. View and copy private key.
  1. Save the private key

NOTE: Private key will not be accessible from Vault once you close Credentials page. Ensure private key is copied and stored securely! Do not save private key into a file.

  1. Copy client’s public certificate (first cert in the list). This can be stored in a file. This certificate can be access from Vault at a later time.
  2. Copy Vault’s root CA (3rd cert in the list). This can be stored in a file. This certificate can be access from Vault at a later time.

Connect vCenter server with Vault Enterprise KMS:

  1. Login to vCenter server. Select vCenter server name and switch to configure tab. Navigate to Key Providers section in Security category.
  1. Select ADD → Standard Key Provider
  2. In KMS field put desired vault,
  3. In address put FQDN for Vault Enterprise instance. Port 5696 (default KMIP port).
  4. Click on Add Key Provider.
  5. Select newly added Key Provider and click on Establish Trust.
  6. First make vCenter Trust KMS by uploading KMS certificate (this is root vault CA extracted in prerequisites steps). Only use this option to trust KMS.
  1. Click on Establish Trust again and select to Make KMS trust vCenter.
  2. Select option to use KMS certificate and private key.
  3. Paste KMS public certificate extracted in prerequisites steps and KMS private key from prerequisites steps
  1. Select Establish Trust.
  2. Ensure that two way trust is established. All certificates shows valid status and that the general status is healthy.

Please like and share to spread the knowledge in the community.

Visit my FB page: https://www.facebook.com/AngrySysOps

Subscribe to my YouTube channel: https://www.youtube.com/channel/UCRTcKGl0neismSRpDMK_M4A

Please leave the comment