---
title: "Fortanix DSM for VMware Cloud Director"
slug: "using-fortanix-data-security-manager-for-vmware-cloud-director"
updated: 2026-04-01T08:37:21Z
published: 2026-03-23T16:24:50Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM for VMware Cloud Director

## 1.0 Introduction

This article describes how to use **Fortanix-Data-Security-Manager (DSM)** for **VM encryption** through **VMware Cloud Director**.

It also contains the information that a user requires for:

- Facilitating the communication and authentication between Fortanix DSM and vCenter using the KMIP interface
- Setting up Fortanix DSM.
- Exposing VM Encryption storage policy to tenants
- Enabling VM Encryption storage policy for VM encryption

## 2.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the vCenter and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to authenticate a KMIP client to successfully create, retrieve and use the keys stored inside Fortanix DSM.

### 2.1 Considerations

The following are some key points to understanding the Fortanix DSM for VM encryption:

- The VMs needs to be power off to apply the VM encryption storage policy.
- vCenter supports only one (1) external KMS at a time, and the IP address of the KMS cannot be altered once configured.

## 3.0 Prerequisites

Ensure the following:

- vCenter connected to Cloud Director 10.0 or later is installed and operational.
- Fortanix DSM version 3.20 or later.
- Fortanix DSM is installed and operational, and is accessible by the vCenter on port 5696 (for default) or custom KMIP port.

## 4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 1: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(34).png)

**Figure 2: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(32).png)

**Figure 3: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 4.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-for-vmware-cloud-director#33-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 4.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 4.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-vmware-cloud-director#34-creating-an-application)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the app.
2. On the **INFO**tab, click **VIEW API KEY DETAILS**.
3. Click the **USERNAME/PASSWORD** tab.
4. From the **Credentials Details** dialog box, copy the **Username (app UUID)** and **Password**of the app to use in [*Section 5.1: Configure Fortanix DSM in vCenter*](/v1/docs/using-fortanix-data-security-manager-for-vmware-cloud-director#41-configure-fortanix-dsm-in-vcenter).

## 5.0 Configure vCenter Key Management Settings

You may configure Fortanix DSM as an external KMS in vCenter using the vSphere Client UI.

### 5.1 Configure Fortanix DSM in vCenter

1. Log in to vCenter using vSphere Client UI.
2. Navigate to **Configure**→ **Key Providers**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/vSphere Client UI.png)

**Figure 4: vSphere client UI**
3. On the Key Management **ADD STANDARD KEY PROVIDER** form:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (880).png)

**Figure 5: Key management configuration details**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Km Configuration Details.png)

**Figure 6: Key management configuration details**
  - **Name:** Name of KMS - **DSM**
  - **Address**: Fortanix DSM IP address. In this case, **app.<fortanix_dsm_url>**.
  - **Port**: **5696**
  - **Username**: Copy the value from Fortanix DSM app.
  - **Password**: Copy the value from Fortanix DSM app.
4. Click **Add Key Provider**.
5. Establish trust between Fortanix DSM and vCenter by clicking **Establish Trust**→ **Make vCenter Trust KMS**. Click **TRUST**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (879).png)

**Figure 7: Establish trust**

### 5.2 Expose VM Encryption Policy to Tenants

As a service provider, make sure you expose the VM encryption storage policy to the tenants.

1. Log in to the VMware Cloud Director provider portal.
2. Click **Organization VDCs** and enable VM encryption policy for the organization.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Enable VM Encryption.png)

**Figure 8: Enable VM encryption policy**

### 5.3 Tenants Apply VM Encryption Storage Policy to VM

The tenants can apply the VM encryption storage policy to the VM(s) they want to encrypt.

1. The Tenants can log in to the VMware Cloud Director tenant portal.
2. Click the VM that needs to be encrypted. Make sure that the VM is powered off.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Tenant Portal.png)

**Figure 9: Tenant portal**
3. Apply VM Encryption storage policy to the VM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Apply VM Encryption Policy.png)

**Figure 10: Apply VM encryption policy**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/VM Encryption Policy.png)

**Figure 11: VM encryption policy**

### 5.4 Verification of Fortanix DSM

Service providers can log in to Fortanix DSM to see the logs of the connection and the key created as well.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/VMware-Encryption-1.png)

**Figure 12: Connection logs**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/VMware-Encryption-2(2).png)

**Figure 13: Encryption key created**

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Fortanix DSM as a KMS to Secure VMware Virtual Environments](/using-fortanix-data-security-manager-as-a-kms-to-secure-vmware-virtual-environments.md)
- [Fortanix DSM for VMware Encryption on GCP](/using-fortanix-data-security-manager-for-vmware-encryption-on-gcp.md)