---
title: "Fortanix DSM with VMware Cloud Director Encryption Management"
slug: "using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management"
updated: 2026-04-01T08:37:10Z
published: 2026-03-18T07:40:57Z
canonical: "support.fortanix.com/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM with VMware Cloud Director Encryption Management

## 1.0 Introduction

This article describes how to integrate **Fortanix-Data-Security-Manager (DSM)** with the**VMware Cloud Director Encryption Management Service** solution to empower tenant administrators with the authority to manage encryption keys for virtual machines (VMs) within their respective virtual data centers (VDCs).

Traditionally, only provider administrators possessed the capability to configure key providers through VMware vSphere. However, the updated approach allows each tenant to configure their own individual Key Management Server (KMS). Tenant administrators now have the authority to authenticate with and allocate encryption keys from their KMS to their respective VDCs, significantly enhancing control and security within VMware Cloud Director environments.

## 2.0 Product Versions Tested

The following product versions were tested:

- Fortanix DSM version 4.27.
- VMware Cloud Director version 10.5.1.
- VMware Cloud Director Encryption Management version 1.1.

## 3.0 Prerequisites

Before proceeding, ensure the following:

- Fortanix DSM version 4.27 or later.
- The target environment is at the following software versions or higher:

*Refer to VMware’s Before you begin section in*[*Installing and Configuring VMware Cloud Director Encryption Management as a Cloud Provider*](https://docs.vmware.com/en/VMware-Cloud-Director-Encryption-Management/1.2.0/Encryption-Management/GUID-3D4C1261-244B-42DF-98D4-5EB8A4037FE5.html#GUID-BCA1D341-CD5B-486D-8E34-C60C78EE1F0A__GUID-D53AEC03-5FE2-443C-A11E-788985846FF7)*.*
  - VMware Cloud Director version 10.5.1.
  - VMware Cloud Director Encryption Management version 1.1.

## 4.0 Architecture Diagram

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Architecture_Diagram.png)

**Figure 1: Architecture diagram**

The architecture diagram illustrates the integration of Fortanix DSM with VMware Cloud Director for managing encryption keys across multiple VDC tenants. Fortanix DSM functions as the central key management solution, securely interfacing with vCenter to allow the management of keys across multiple customer tenants.

At the top level, customers configure their VDC tenants to use Fortanix DSM as a key provider, entering their credentials to allow secure communication. This integration allows the creation of keys within Fortanix DSM to encrypt the customer’s VMs.

Beneath Cloud Director, a shared vCenter orchestrates resources across different customer environments, labelled as Alpha and Bravo Customer VDC Tenants. Each tenant can have multiple VMs that are encrypted.

This setup ensures that a customer can encrypt their VMs and have full ownership and control of the keys, within their isolated Fortanix DSM accounts. The provider has no access to the customer’s keys.

## 5.0 Infrastructure Setup

This section describes the steps required to set up the foundational infrastructure components, including the creation of the Provider VDC, Organizations, Organization VDC, the Encryption Management Catalog, and the configuration of Solution Add-Ons.

### 5.1 Creating the Provider VDC

Perform the following steps to create a Provider Virtual Data Center:

1. Navigate to the **Resources**(top navigation) → **Cloud Resources** → **Provider VDCs** → **New**.
2. On the **New provide VDC** form,
  1. In the **General**page, provide a valid name and description. Enable the **State**option using the toggle. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_General_Tab.png)

**Figure 2: General tab**
  2. In the **Provider** page, select the required vCenter. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Provider_Tab.png)

**Figure 3: Provider tab**
  3. In the **Resource Pool** page, select the cluster for the resource pool. Select the **Highest supported hardware version** from the drop down menu. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Resource_Tool_Tab.png)

**Figure 4: Resource pool tab**
  4. In the **Storage** page, select all the listed storage policies. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Storage_Tab.png)

**Figure 5: Storage tab**
  5. In the **Network Pool** page, select **No network pool**. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Network_Pool_Tab.png)

**Figure 6: Network pool tab**
  6. In the **Ready to Complete** page, review all the parameters. Click **FINISH**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Summary_Tab.png)

**Figure 7: Summary tab**

Wait until the status shows as **Normal**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Status_Review.png)

**Figure 8: Status review**

### 5.2 Creating the Organizations

Perform the following steps to create a new Organization:

If you already have an existing Organization and Organization VDC, you can skip to [*Section 7.0: Configure VMware Encryption Management*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#70-configure-vmware-encryption-management).

1. Navigate to **Resources**(top navigation) → **Cloud Resources** → **Organizations**→ **New**.
2. On the New **Organization**page, enter the name and full name of the organization. For example, **AlphaCustomer**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_New_Org_Form.png)

**Figure 9: New organization form**
3. Click **CREATE**.
4. Similarly, create another Organization. For example, **Catalog**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_New_Org_Tab.png)

**Figure 10: New organization tab**

### 5.3 Creating the Organization VDC

Perform the following steps to create an Organization VDC:

1. Navigate to **Resources**(top navigation) → **Cloud Resources** → **Organization VDCs** → **New**.
2. On the **New Organization VDC** dialog box,
  1. In the **General**page, provide a name and description. Select the **Enable the Organization VDC** check box. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_General_Tab1.png)

**Figure 11: General tab**
  2. In the **Organization**page, select the required organization. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Organization_Tab.png)

**Figure 12: Organization tab**
  3. In the **Provider VDC** page, select the required **Provider VDC**. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Provider_VDC_Tab.png)

**Figure 13: Provider VDC tab**
  4. In the **Allocation Model**page, select the **Allocation pool** option. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Allocation_Model_Tab.png)

**Figure 14: Allocation model tab**
  5. In the **Allocation Pool** page, set the resources values. For example, **CPU allocation**as **4**, **Memory allocation** as **30**, and so on. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Allocation_Pool_Tab.png)

**Figure 15: Allocation pool tab**
  6. In the **Storage Policies** page, select all the storage policies. Enable the toggle for **Thin provisioning**. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Storage_Policies_Tab.png)

**Figure 16: Storage policies tab**
  7. In the **Network Pool**page, the toggle for **Specify Network Pool**can be disabled. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Network_Pool_Tab_New.png)

**Figure 17: Network pool tab**
  8. In the **Ready to Complete** page, review all the parameters. Click **FINISH**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Summary_Tab2.png)

**Figure 18: Summary tab**

Wait until the status shows as **Normal**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Review_Status_Tab2.png)

**Figure 19: Review status**
3. Similarly, create another Organization VDC. For example, **Catalog**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Summary_Tab3.png)

**Figure 20: Summary tab**

Wait until the status shows as **Normal**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Review_Status_Tab3.png)

**Figure 21: Review status**

### 5.4 Creating the Catalog for Encryption Management

Perform the following steps to create a catalog under the content hub of an Organization VDC:

1. Click the ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Icon.png) icon to open the new window for Tenant Portal.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Organiation_VDC_Page1.png)

**Figure 22: Organization VDC page**
2. Navigate to**Content Hub** → **Catalogs**→ **NEW**.
3. On the **Create Catalog** dialog box,
  1. Enter a name of the catalog. For example, **Encryption Management**.
  2. Enable the toggle for **Pre-provision on specific storage policy**.
  3. Set the **Any**option for both **Org VDC** and **Storage Policy** fields.
  4. Click **OK**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Create_Catalog.png)

**Figure 23: Create catalog**

Wait until the status shows as **Ready**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Review_Status.png)

**Figure 24: Review status**
4. Navigate to **Networking**(top navigation) → **New**.
5. On the **New Organization VDC Network** dialog box,
  1. In the **Scope**page, select **Organization Virtual Data Center**and select the required VDC. For example, **Catalog**. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Scope_Tab.png)

**Figure 25: Scope tab**
  2. In the **Network Type** page, select **Direct**. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Network_Type_Tab.png)

**Figure 26: Network type tab**
  3. In the **General**page, enter a valid name. For example, **VM Network**. Keep the **Shared**toggle disabled. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_General_Tab2.png)

**Figure 27: General tab**
  4. In the **External Network Connection** page, select he **VM Network**. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_External_Network_Connection_Tab.png)

**Figure 28: External network connection tab**
  5. In the **Ready to Complete** page, review all the parameters. Click **FINISH**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Summary_Review1.png)

**Figure 29: Summary review**

### 5.5 Configuring the Solution Add-on Management

Perform the following steps to configure the Solution Add-On Management:

1. Return to the **Provider**portal and navigate to **More**(top navigation) → **Solution Add-on Management** → **CONFIGURE**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Configure_Button.png)

**Figure 30: Configure**
2. Read the description of Solution Add-On Landing Zone and click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Read_the_Description.png)

**Figure 31: Read the description**
3. On the **General Settings** page,

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_General_Settings_Tab.png)

**Figure 32: General setting tab**
  1. **Organization**: Select the value from the drop down menu to store the Catalog.
  2. **Catalog**: Select the name of the catalog from the drop down menu. For example, **Encryption Management**.
  3. **Organization VDCs**: Select the required Organization VDC from the drop down menu.
  4. Click **NEXT**.
4. Click the Overflow icon![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Overflow_Icon.png)in the first column and select the **Configure**option.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Configure_Option.png)

**Figure 33: Configure option**
5. On the **Configure Catalog**dialog box,

> [!NOTE]
> NOTE
> 
> Ensure that the Bring Your Own Encryption (BYOE) instance is in **READY**state before proceeding further.
  1. In the **Network**page, select the **Add Network** → **VM Network** options.
  2. In the **Compute Policies** page, select the **Add Compute Policy** → **System Default**options.
  3. In the **Storage Policies**page, select the **Add Storage Policy**→ any (*) options.
  4. Click **SAVE**to keep the changes.
  5. Click **NEXT**to proceed further.
  6. In the **Review and Create** page, check the settings and then click **FINISH**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Review_Summary2.png)

**Figure 34: Review summary**
  7. Download the VMware Encryption Management ISO file from [*here*](https://communities.vmware.com/t5/Sovereign-Cloud-Bring-Your-Own/ct-p/5408).
  8. Click **UPLOAD**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Upload_Button.png)

**Figure 35: Upload**
  9. Click **Browse Files**and select the required file from your system. For example, **VMware-Cloud-Director-Encryption-Management-110.iso**.
  10. Select the **Create add-on instance after upload is completed** check box.
  11. Click **UPLOAD**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Upload_Add_On.png)

**Figure 36: Upload add-on**
  12. Review the summary and click **FINISH**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Review_Summary3.png)

**Figure 37: Review summary**
  13. In the**Accept Licenses** page, select the **I Agree to the license** check box.
  14. On the**Input Parameters**page,
    1. Leave the **Add-On Instance Name** as the **default**.
    2. Select the**Deployment Configuration** from the drop down menu. For example, **Medium (4 vCPU, 8GB Memory)**.
    3. Select the **Global Role** as **Organization Administrator**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Input_Parameter_Tab.png)

**Figure 38: Input parameter**
    4. Click **NEXT**and then click **FINISH.**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Next_Screen.png)

**Figure 39: Next screen**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Finish_Button.png)

**Figure 40: Finish**
6. Log in to the vSphere Web Client and observe the creation of several VMs under the resource pool for the target VDC.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_List_of_VMs.png)

**Figure 41: List of VMs**

## 6.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 6.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 6.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 42: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 6.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(35).png)

**Figure 43: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group. For example, **AlphaCustomer**.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 6.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(33).png)

**Figure 44: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 6.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#63-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 6.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the **Apps**menu item in the DSM left navigation panel and click the app created in [*Section 6.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#64-creating-an-application)**to go to the detailed view of the app.
2. From the top of the app’s page, click the copy icon ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1747062862398.png) next to the app **UUID**to copy it to use in [*Section 6.6: Generating the Certificate*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#66-generating-a-certificate) as the value of Common Name (CN) to generate a self-signed certificate and a private key.

### 6.6 Generating the Certificate

Run the following command to generate a certificate:

```bash
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN={App UUID}"
```

### 6.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in [*Section 6.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#64-creating-an-application) and click **Change authentication method** and select the **Certificate**option to change the authentication method to Certificate.
2. Click **SAVE**.
3. On the **Add certificate** dialog box, click **UPLOAD NEW CERTIFICATE** to upload the certificate file or paste the content of the `cert.pem` certificate generated in [*Section 6.6: Generating a Certificate*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#66-generating-a-certificate).
4. Select both check boxes to confirm your understanding of the action.
5. Click **UPDATE**to save the changes.

> [!NOTE]
> NOTE
> 
> Within the same or different Fortanix DSM account, repeat all the steps mentioned in [*Section 6.2: Creating an Account*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#62-creating-an-account)**through [*Section 6.7: Updating the Authentication Method*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#67-updating-the-authentication-method) to be used as the default Key Provider for vCenter.

## 7.0 Configure VMware Encryption Management

This section describes the steps required to provision VMware Encryption Management for a VMware Cloud Director (vCD) tenant using the Fortanix DSM.

### 7.1 Configuring vCenter Key Provider

Perform the following steps to configure the vCenter Key Provider:

1. Connect directly to the vCenter using the vSphere Web Client.
2. Configure a Standard Key Provider as per [*Using Fortanix Data Security Manager as a KMS to Secure VMware Virtual Environments*](https://support.fortanix.com/docs/using-fortanix-data-security-manager-as-a-kms-to-secure-vmware-virtual-environments) using the `cert.pem` and `key.pem` obtained in [*Section 6.6: Generating a Certificate*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#66-generating-a-certificate).

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Key_Provider_Tab.png)

**Figure 45: Key provider tab**

### 7.2 Configuring VMware Encryption Management in Provider Portal

Perform the following steps to configure the VMware Encryption Management within the Provider Portal:

1. Navigate to the **More**→ **Encryption Management** → **Get Started**.
2. On the **Onboard Key Provider**dialog box,
  1. **Name**: Enter the name of the key provider to create. For example, **AlphaCustomer**.
  2. **Description**: Enter a description for the key provider.
  3. **Icon**: Browse any image that you to display as an icon.
  4. **Address**: Enter the valid Fortanix DSM endpoint. For example, **eu.smartkey.io**.
  5. **Port**: Enter the KMIP port as **5696**.
  6. Click **NEXT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Onboard_Key_Provider.png)

**Figure 46: Onboard key provider**
  7. In the **vCenter Information** page, select the target vCenter resource.
  8. Provide the vCenter Credentials and click **Register**.
  9. Review and Trust the KMS certificate when presented.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Review_Summary4.png)

**Figure 47: Review summary**
  10. Click **Publish**available adjacent to the name of the Key Provider.
  11. Select the target Tenant Organization and click **PUBLISH**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Publish_Button.png)

**Figure 48: Publish**

### 7.3 Configuring Key Provider in Tenant Portal

Ensure that a new Fortanix DSM group and app is created using the certificate-based authentication for the specific Organization. *For more information, refer to*[*Section 6.0: Configure Fortanix DSM*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#60-configure-fortanix-dsm)*.*

Perform the following steps to configure the Key Provider in the Tenant Portal:

1. Log in to the Cloud Director Tenant Portal for the specified Organization.
2. Navigate to **More**→ **Encryption Management**. This screen displays the Key Providers published by the provider.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Configure_Button1.png)

**Figure 49: Configure**
3. Click **CONFIGURE**.
4. On the next screen, select **Client certificate** to change the authentication method.
5. In the **Certificate**and **Private Key** boxes, paste the content of `cert.pem` and `key.pem` respectively.
6. Click **REGISTER**.
7. Click **GENERATE KEY** and select the Organization VDC from the available list. This key will be generated in the associated Fortanix DSM group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Encrypt_Organization_VDC.png)

**Figure 50: Encrypt organization VDC**
8. Click **SUBMIT**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Review_Summary5.png)

**Figure 51: Review summary**

### 7.4 Encrypting the VM

Perform the following steps to encrypt a VM:

1. Navigate to **Applications**(top navigation) → **Virtual Machines**.
2. Click **NEW VM** and provision a new VM for encryption.
3. Click the name of the VM created and **EDIT**.
4. On the **Edit VM**page,
  1. Select the Storage Policy.
  2. Select **VM Encryption Policy** from the drop down menu.
  3. Click **Save**.
5. Navigate to the **General**tab for the VM and click **Edit**.
6. Update the **Storage Policy** to **VM Encryption Policy**.
7. Click **Save**to keep the changes.

The VM KEK in DSM will be retrieved and used to encrypt the VM.

### 7.5 Verifying Encryption Status

Verify that the VM is encrypted using the tenant KMS.

- **VMware Cloud Director Tenant Portal**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_VMware_Cloud_Director_Tenant_Portal.png)

**Figure 52: VMware cloud director tenant portal**
- **VMware vCenter vSphere Client**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_VMware_Vcenter_Vsphere_Client.png)

**Figure 53: VMware Vcenter Vsphere client**
- **Fortanix DSM Account**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/VMware-CloudDirector-1.png)

**Figure 54: Fortanix DSM UI**

### 7.6 Auditing and Logging

Create another VM as per [*Section 7.4: Encrypting the VM*](/v1/docs/using-fortanix-data-security-manager-with-vmware-cloud-director-encryption-management#74-encrypting-the-vm)and observe the Fortanix DSM Account audit log.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/VMware-CloudDirector-2.png)

**Figure 55: Fortanix DSM audit logs**

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.