Using Fortanix Data Security Manager with VMware Cloud Director Encryption Management

Prev Next

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with the VMware Cloud Director Encryption Management Service solution to empower tenant administrators with the authority to manage encryption keys for virtual machines (VMs) within their respective virtual data centers (VDCs).

Traditionally, only provider administrators possessed the capability to configure key providers through VMware vSphere. However, the updated approach allows each tenant to configure their own individual Key Management Server (KMS). Tenant administrators now have the authority to authenticate with and allocate encryption keys from their KMS to their respective VDCs, significantly enhancing control and security within VMware Cloud Director environments.

2.0 Product Versions Tested

The following product versions were tested:

  • Fortanix DSM version 4.27.

  • VMware Cloud Director version 10.5.1.

  • VMware Cloud Director Encryption Management version 1.1.

3.0 Prerequisites

Before proceeding, ensure the following:

4.0 Architecture Diagram

Figure 1: Architecture diagram

The architecture diagram illustrates the integration of Fortanix DSM with VMware Cloud Director for managing encryption keys across multiple VDC tenants. Fortanix DSM functions as the central key management solution, securely interfacing with vCenter to allow the management of keys across multiple customer tenants.

At the top level, customers configure their VDC tenants to use Fortanix DSM as a key provider, entering their credentials to allow secure communication. This integration allows the creation of keys within Fortanix DSM to encrypt the customer’s VMs.

Beneath Cloud Director, a shared vCenter orchestrates resources across different customer environments, labelled as Alpha and Bravo Customer VDC Tenants. Each tenant can have multiple VMs that are encrypted.

This setup ensures that a customer can encrypt their VMs and have full ownership and control of the keys, within their isolated Fortanix DSM accounts. The provider has no access to the customer’s keys.

5.0 Infrastructure Setup

This section describes the steps required to set up the foundational infrastructure components, including the creation of the Provider VDC, Organizations, Organization VDC, the Encryption Management Catalog, and the configuration of Solution Add-Ons.

5.1 Creating the Provider VDC

Perform the following steps to create a Provider Virtual Data Center:

  1. Navigate to the Resources (top navigation) → Cloud Resources → Provider VDCs → New.

  2. On the New provide VDC form, do the following:

    1. In the General page, provide a valid name and description. Enable the State option using the toggle button. Click NEXT.

      Figure 2: General tab

    2. In the Provider page, select the required vCenter. Click NEXT.

      Figure 3: Provider tab

    3. In the Resource Pool page, select the cluster for the resource pool. Select the Highest supported hardware version from the drop down menu. Click NEXT.

      Figure 4: Resource pool tab

    4. In the Storage page, select all the listed storage policies. Click NEXT.

      Figure 5: Storage tab

    5. In the Network Pool page, select the No network pool radio button. Click NEXT.

      Figure 6: Network pool tab

    6. In the Ready to Complete page, review all the parameters. Click FINISH.

      Figure 7: Summary tab

      Wait until the status shows as Normal.

      Figure 8: Status review

5.2 Creating the Organizations

Perform the following steps to create a new Organization:

If you already have an existing Organization and Organization VDC, you can skip to Section 7.0: Configure VMware Encryption Management.

  1. Navigate to Resources (top navigation) → Cloud Resources → Organizations → New.

  2. On the New Organization page, enter the name and full name of the organization. For example, AlphaCustomer.

    Figure 9: New organization form

  3. Click CREATE.

  4. Similarly, create another Organization. For example, Catalog.

    Figure 10: New organization tab

5.3 Creating the Organization VDC

Perform the following steps to create an Organization VDC:

  1. Navigate to Resources (top navigation) → Cloud Resources → Organization VDCs → New.

  2. On the New Organization VDC dialog box, do the following:

    1. In the General page, provide a name and description. Select the Enable the Organization VDC check box. Click NEXT.

      Figure 11: General tab

    2. In the Organization page, select the required organization. Click NEXT.

      Figure 12: Organization tab

    3. In the Provider VDC page, select the required Provider VDC radio button. Click NEXT.

      Figure 13: Provider VDC tab

    4. In the Allocation Model page, select the Allocation pool option. Click NEXT.

      Figure 14: Allocation model tab

    5. In the Allocation Pool page, set the resources values. For example, CPU allocation as 4, Memory allocation as 30, and so on. Click NEXT.

      Figure 15: Allocation pool tab

    6. In the Storage Policies page, select all the storage policies. Enable the toggle button for Thin provisioning option. Click NEXT.

      Figure 16: Storage policies tab

    7. In the Network Pool page, the toggle button for Specify Network Pool can be disabled. Click NEXT.

      Figure 17: Network pool tab

    8. In the Ready to Complete page, review all the parameters. Click FINISH.

      Figure 18: Summary tab

      Wait until the status shows as Normal.

      Figure 19: Review status

  3. Similarly, create another Organization VDC. For example, Catalog.

    Figure 20: Summary tab

    Wait until the status shows as Normal.

    Figure 21: Review status

5.4 Creating the Catalog for Encryption Management

Perform the following steps to create a catalog under the content hub of an Organization VDC:

  1. Click the icon to open the new window for Tenant Portal.

    Figure 22: Organization VDC page

  2. Navigate to Content Hub → Catalogs → NEW.

  3. On the Create Catalog dialog box, do the following:

    1. Enter a name of the catalog. For example, Encryption Management.

    2. Enable the toggle button for Pre-provision on specific storage policy.

    3. Set the Any option for both Org VDC and Storage Policy fields.

    4. Click OK.

      Figure 23: Create catalog

      Wait until the status shows as Ready.

      Figure 24: Review status

  4. Navigate to Networking (top navigation) → New.

  5. On the New Organization VDC Network dialog box, do the following:

    1. In the Scope page, select the Organization Virtual Data Center radio button and select the required VDC. For example, Catalog. Click NEXT.

      Figure 25: Scope tab

    2. In the Network Type page, select the radio button for Direct option. Click NEXT.

      Figure 26: Network type tab

    3. In the General page, enter a valid name. For example, VM Network. Keep the Shared toggle button disabled. Click NEXT.

      Figure 27: General tab

    4. In the External Network Connection page, select the VM Network radio button. Click NEXT.

      Figure 28: External network connection tab

    5. In the Ready to Complete page, review all the parameters. Click FINISH.

      Figure 29: Summary review

5.5 Configuring the Solution Add-on Management

Perform the following steps to configure the Solution Add-On Management:

  1. Return to the Provider portal and navigate to More (top navigation) → Solution Add-on Management → CONFIGURE.

    Figure 30: Configure button

  2. Read the description of Solution Add-On Landing Zone and click NEXT.

    Figure 31: Read the description

  3. On the General Settings page, do the following:

    1. Organization: Select the value from the drop down menu to store the Catalog.

    2. Catalog: Select the name of the catalog from the drop down menu. For example, Encryption Management.

    3. Organization VDCs: Select the required Organization VDC from the drop down menu.

    4. Click NEXT.

    Figure 32: General setting tab

  4. Click the Overflow iconin the first column and select the Configure option.

    Figure 33: Configure option

  5. On the Configure Catalog dialog box, do the following:

    1. In the Network page, select the Add Network → VM Network options.

    2. In the Compute Policies page, select the Add Compute Policy → System Default options.

    3. In the Storage Policies page, select the Add Storage Policy → any (*) options.

    4. Click SAVE to keep the changes.

    5. Click NEXT to proceed further.

    6. In the Review and Create page, check the settings and then click FINISH.

      Figure 34: Review summary

    7. Download the VMware Encryption Management ISO file from here.

    8. Click UPLOAD.

      Figure 35: Upload button

    9. Click Browse Files and select the required file from your system. For example, VMware-Cloud-Director-Encryption-Management-110.iso.

    10. Select the Create add-on instance after upload is completed check box.

    11. Click UPLOAD.

      Figure 36: Upload add-on

    12. Review the summary and click FINISH.

      Figure 37: Review summary

    13. In the Accept Licenses page, select the I Agree to the license check box.

    14. On the Input Parameters page,

      1. Leave the Add-On Instance Name as the default.

      2. Select the Deployment Configuration from the drop down menu. For example, Medium (4 vCPU, 8GB Memory).

      3. Select the Global Role as Organization Administrator.

        Figure 38: Input parameter

      4. Click NEXT and then click FINISH.

        Figure 39: Next screen

        Figure 40: Finish button

    NOTE

    Ensure that the Bring Your Own Encryption (BYOE) instance is in READY state before proceeding further.

  6. Log in to the vSphere Web Client and observe the creation of several VMs under the resource pool for the target VDC.

    Figure 41: List of VMs

6.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

6.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

6.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 42: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

6.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

    Figure 43: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group. For example, AlphaCustomer.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

6.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

    Figure 44: Add application

  2. On the Adding new app page, do the following:

    1. App name: Enter the name for your application.

    2. ADD DESCRIPTION (optional): Enter a short description of the application.

    3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    4. Assigning the new app to groups: Select the group created in Section 6.3: Creating a Group from the list.

  3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

6.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

  1. Click the Apps menu item in the DSM left navigation panel and click the app created in Section 6.4: Creating an Application to go to the detailed view of the app. 

  2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 6.6: Generating the Certificate as the value of Common Name (CN) to generate a self-signed certificate and a private key.

6.6 Generating the Certificate

Run the following command to generate a certificate:

openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN={App UUID}"

6.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

  1. Go to the detailed view of the app created in Section 6.4: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.

  2. Click SAVE.

  3. On the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file or paste the content of the cert.pem certificate generated in Section 6.6: Generating a Certificate.

  4. Select both check boxes to confirm your understanding of the action.

  5. Click UPDATE to save the changes.

NOTE

Within the same or different Fortanix DSM account, repeat all the steps mentioned in Section 6.2: Creating an Account through Section 6.7: Updating the Authentication Method to be used as the default Key Provider for vCenter.

7.0 Configure VMware Encryption Management

This section describes the steps required to provision VMware Encryption Management for a VMware Cloud Director (vCD) tenant using the Fortanix DSM.

7.1 Configuring vCenter Key Provider

Perform the following steps to configure the vCenter Key Provider:

  1. Connect directly to the vCenter using the vSphere Web Client.

  2. Configure a Standard Key Provider as per Using Fortanix Data Security Manager as a KMS to Secure VMware Virtual Environments using the cert.pem and key.pem obtained in Section 6.6: Generating a Certificate.

    Figure 45: Key provider tab

7.2 Configuring VMware Encryption Management in Provider Portal

Perform the following steps to configure the VMware Encryption Management within the Provider Portal:

  1. Navigate to the More → Encryption Management → Get Started.

  2. On the Onboard Key Provider dialog box, do the following:

    1. Name: Enter the name of the key provider to create. For example, AlphaCustomer.

    2. Description: Enter a description for the key provider.

    3. Icon: Browse any image that you to display as an icon.

    4. Address: Enter the valid Fortanix DSM endpoint. For example, eu.smartkey.io.

    5. Port: Enter the KMIP port as 5696.

    6. Click NEXT.

      Figure 46: Onboard key provider

    7. In the vCenter Information page, select the target vCenter resource.

    8. Provide the vCenter Credentials and click Register.

    9. Review and Trust the KMS certificate when presented.

      Figure 47: Review summary

    10. Click Publish available adjacent to the name of the Key Provider.

    11. Select the target Tenant Organization and click PUBLISH.

      Figure 48: Publish button

7.3 Configuring Key Provider in Tenant Portal

Ensure that a new Fortanix DSM group and app is created using the certificate-based authentication for the specific Organization. For more information, refer to Section 6.0: Configure Fortanix DSM.

Perform the following steps to configure the Key Provider in the Tenant Portal:

  1. Log in to the Cloud Director Tenant Portal for the specified Organization.

  2. Navigate to More → Encryption Management. This screen displays the Key Providers published by the provider.

    Figure 49: Configure button

  3. Click CONFIGURE.

  4. On the next screen, select the Client certificate radio button to change the authentication method.

  5. In the Certificate and Private Key boxes, paste the content of cert.pem and key.pem respectively.

  6. Click REGISTER.

  7. Click GENERATE KEY and select the Organization VDC from the available list. This key will be generated in the associated Fortanix DSM group.

    Figure 50: Encrypt organization VDC

  8. Click SUBMIT.

    Figure 51: Review summary

7.4 Encrypting the VM

Perform the following steps to encrypt a VM:

  1. Navigate to Applications (top navigation) → Virtual Machines.

  2. Click NEW VM and provision a new VM for encryption.

  3. Click the name of the VM created and EDIT.

  4. On the Edit VM page, do the following:

    1. Select the Storage Policy.

    2. Select VM Encryption Policy from the drop down menu.

    3. Click Save.

  5. Navigate to the General tab for the VM and click Edit.

  6. Update the Storage Policy to VM Encryption Policy.

  7. Click Save to keep the changes.

The VM KEK in DSM will be retrieved and used to encrypt the VM.

7.5 Verifying Encryption Status

Verify that the VM is encrypted using the tenant KMS.

  • VMware Cloud Director Tenant Portal

    Figure 52: VMware cloud director tenant portal

  • VMware vCenter vSphere Client

    Figure 53: VMware Vcenter Vsphere client

  • Fortanix DSM Account

    Figure 54: Fortanix DSM UI

7.6 Auditing and Logging

Create another VM as per Section 7.4: Encrypting the VM and observe the Fortanix DSM Account audit log.

Figure 55: Fortanix DSM audit logs