Using Fortanix Data Security Manager as a KMS to Secure VMware Virtual Environments

1.0 Introduction

This article provides step-by-step instructions for configuring Fortanix Data Security Manager (DSM) as a Key Management Server (KMS) in vSphere using the vSphere Web Client. Establishing trust and authenticating vSphere to Fortanix DSM can be achieved through certificates. This method ensures secure communication between vSphere and Fortanix DSM, enabling various encryption functionalities such as vSphere Virtual Machine (VM) encryption and Virtual Storage Area Network (VSAN) encryption.

2.0 Product Versions Tested

  • Fortanix DSM version 4.26.
  • VMware vSphere version 7.0.2 U2

3.0 Prerequisites

Before proceeding, ensure that you have established a Fortanix DSM account. For more information, refer to User's Guide: Getting Started with Fortanix DSM - UI.

4.0 Create a Fortanix DSM App for VMware

There are two ways to configure Fortanix DSM for VMware encryption.

  • Method 1: Installation through VMware wizard
  • Method 2: Manual installation

4.1 Method 1: Installation Through VMware Wizard

4.1.1 Create an VMware Instance

Perform the following steps to create an app using the VMware wizard in Fortanix DSM SaaS:

  1. Sign up at https://smartkey.io/ to access DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.
  2. Log in to the Fortanix DSM UI and click the Integrations menu item from the left panel.
  3. On the Integrations page, search the VMware wizard and click the ADD INSTANCE button.
  4. On the Add Instance page, enter the following details:
    • Instance Name: Enter the required name to identify the instance created.
    • Authentication method: Select either of the following option:
      • API key: Select this option to authenticate the application with the API Gateway.
      • Upload Certificate: Select this option to authenticate the application with the Client Certificate.
        • If you select this option, the UPLOAD CERTIFICATE field is enabled on the UI screen. Click the UPLOAD CERTIFCATE option to upload the certificate file from your system or paste the content of the certificate in the provided space.
          NOTE
          Since you do not have a certificate, you must select the API key option as the authentication method to capture the UUID of the app.
          Screenshot (132).png
          Figure 1: Add instance
  5. Click the SAVE INSTANCE button. This action will automatically create an instance, a new group and app within the Fortanix DSM.

4.1.2 Update the App Configuration

Perform the following steps to update the authentication method of the app created in the previous section to certificate authentication method:

  1. Navigate to the Integrations menu item → VMware wizard → VMware instances table.
  2. Under the Credentials column in the table, click the VIEW API KEY DETAILS button.
  3. In the Credential Details dialog box, navigate to the USERNAME/PASSWORD tab and copy the Username (app UUID). This will be used in Section 6.0: Configure KMS in vCenter Using Client Certificate.
  4. Generate a client certificate as mentioned in Step 1 in Section 6.0: Configure KMS in vCenter Using Client Certificate.
  5. Navigate to the Apps menu item → Apps table. Click the app created in previous section.
  6. In the detailed view of the app, click the Change authentication method button and select the Certificate option from the drop down menu.
  7. Click the SAVE button.
  8. In the Add certificate dialog box, perform the following:
    1. Click the UPLOAD CERTIFCATE option to upload the certificate file from your system or paste the content of the certificate in the provided space as created in Step 4.
    2. Update the Expiration Setting (Optional).
    3. Read and select the both the check boxes to confirm your understanding.
  9. Click the UPDATE button to keep the changes.

4.1.3 VMware Wizard Instance Detailed View

Navigate to the Integrations menu item → VMware wizard → VMware instances table. In the instance detailed view page, the following information is represented:

  • Credentials: Indicates the method used for app authentication.
    • Click the CERTIFICATE button to download the Client Certificate. This is applicable only if the app authentication method is Client Certificate.
    • Click the VIEW API KEY DETAILS button to view the details of API key, such as username and password. This is applicable only if the app authentication method is API Key.
  • Manage Keys: Click the MANAGE button to oversee the keys created.
  • Instance status: To disable the created instance, toggle the Disabled option.
  • DELETE: To delete the instance, click the overflow menu (three dots) and select the DELETE option. Note that deleting an instance will result in the removal of the app, group, and all security objects associated with the instance, rendering all key material inaccessible.

2 DETAILED INSTANCE.png

Figure 2: Detailed Instance

4.2 Method 2: Manual Installation

4.2.1 Create an App

Perform the following steps to create an app in Fortanix DSM:

  1. Create an app with authentication method as API key.
  2. Capture the UUID of the app to be used to generate the client certificate. For more information, refer to the User's Guide: Getting Started with Fortanix DSM - UI.
  3. Click the SAVE button to create the app.
  4. The VMware app authenticates to Fortanix DSM using certificate, so the App ID needs to be embedded in the certificate in one of the following ways:
    • Provided as the value of a custom OID in the certificate 1.3.6.1.4.1.49690.1.2.1
    • Standard human-readable UUID encoding: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx provided as the value of CN.
      CN example: a36bb135-8a49-46f8-979b-bc5bbd3e7f7e
      Generate a certificate. Refer to Step 1 in Section 6.0: Configure KMS in vCenter Using Client Certificate.
      Screenshot (136).png
      Screenshot (134).png
      Screenshot (135).png
      Figure 3: Create an App

4.2.2 Update the App Authentication Method

Perform the following steps to update the authentication type of the app created in the previous section:

  1. Navigate to the Apps menu item → Apps table. Click the app created in previous section.
  2. In the detailed view of the app, click the Change authentication method button and select the Certificate option from the drop down menu.
  3. Click the SAVE button.
  4. In the Add certificate dialog box, perform the following:
    • Click the UPLOAD CERTIFCATE option to upload the certificate file from your system or paste the content of the certificate in the provided space as created in Step 4.
    • Update the Expiration Setting (Optional).
    • Read and select the both the check boxes to confirm your understanding.
  5. Click the UPDATE button to keep the changes.

5.0 Configuring KMS in vCenter Using Certificate

5.1 Configure Fortanix DSM in vCenter

You can configure Fortanix DSM as an external KMS in vCenter using the vSphere Client UI.

  1. Log in to vCenter using vSphere Client UI.
  2. Navigate to the required project → Configure tab → Key Providers option. ClientUI.png
    Figure 4: vSphere Client UI
  3. In the Key Management ADD STANDARD KEY PROVIDER form, enter the following details:
    • Name: Name of KMS - DSM
    • Address: Either the IP address or URL of the Fortanix DSM cluster you are using, for example: SaaS customers can use the following URLs based on the region.
    • Port: 5696
    • Username: to be left blank
    • Password: to be left blank 
      Region.png
      Figure 5: Key Management Configuration Details
  4. Click the Add Key Provider button.
  5. Click the Establish TrustMake vCenter Trust KMS establish trust between Fortanix DSM and vCenter. Click the TRUST button. TrustKMS.png
    Figure 6: Establish Trust

6.0 Configuring KMS in vCenter Using Client Certificate

6.1 Generate Client Certificate

Perform the following steps to generate the client certificate:

  1. Run the following command to generate a client certificate and create a new key+cert with CN=FORTANIX_APP_UUID:
    openssl req -newkey rsa:2048 -nodes -keyout sdkms.key -x509 -days 365 -out sdkms.crt
    Ensure to update certificate parameters like country, state, organization, so on, and ensure that the common name (CN) is set to the Fortanix app UUID.
  2. Copy or upload the vCenter Certificate in the Upload certificate text box for the Fortanix DSM app and save the details.
  3. Log in to the vSphere Client and navigate to Configure tab.
  4. Create a new Key Management Service
    • make it DEFAULT
    • ensure the fields User name and Password are empty. Vmware-KMS-4.png
      Figure 7: Create Key Management Service

6.2 Establishing Trust with Fortanix DSM

Perform the following steps to import the key+cert to vSphere.

  1. Navigate to the ESTABLISH TRUST tab, select the Make KMS trust vCenter option.
  2. In the Choose a method section, select the method as KMS Certificate and Private Key and click the NEXT button. Vmware-KMS5.png Figure 8: Initiate Importing Certificate and Private Key
  3. In the Establish Trust section, click the UPLOAD A FILE button to import the certificate and private key. Click the ESTABLISH TRUST option.Vmware-KMS6.png Figure 9: Importing Certificate and Private Key

7.0 Set Up Encrypted VM

Perform the following steps to configure the encrypted VM:

  1. Create a VM and select the default VM Encryption Policy. Vmware-KMS7.png Figure 10: Create a VM
  2. Click the FINISH button to finalize the VM creation process. Vmware-KMS8.png Figure 11: VM Created
  3. Log in to Fortanix DSM to review the logs to monitor the connection, capturing all cryptographic operations performed by the application and any associated key creations. Vmware-KMS9.1.png Figure 12: Audit logs showing crypto operations security_object_created.pngFigure 13: Security Object Created

7.1 Rotate or Re-encrypt the Keys

In the ever-changing landscape of cybersecurity, the regular rotation and re-encryption of keys are essential to upholding the integrity and security of sensitive data within VMware vSphere 7.0.

Rotating keys involves periodic updates to the cryptographic keys used for encryption, authentication, and other security processes. This proactive approach mitigates the risk of prolonged exposure to potential vulnerabilities. In VMware vSphere 7.0, the seamless rotation of keys ensures that cryptographic materials remain resilient against emerging threats.

Re-encrypting keys is a complementary process that enhances the overall security posture. By periodically updating encryption algorithms or re-encrypting data with stronger cryptographic standards, the defence against evolving cyber threats is fortified. This measure aligns with a commitment to staying ahead of the curve and maintaining the highest standards of data protection.

Implementing a robust key management strategy within VMware vSphere 7.0 demonstrates dedication to cybersecurity best practices. This approach not only safeguards digital assets but also instills confidence in stakeholders, assuring them that top-notch security protocols are adhered to in today's interconnected and dynamic business environment.

Perform the following steps to rotate or re-encrypt the keys in vSphere Client:

  1. Select the target VM for the key rotation procedure.
    14.png
    Figure 14: Select Re-encrypt
  2. Click the Re-Encrypt option to generate a new key within the Fortanix KMS. The virtual machine then re-encrypts using a new key obtained from the current cluster's default key provider.
  3. After the re-encryption process is completed, a newly generated key is added to the KMS interface.
    15.png
    Figure 15: Key Created

7.0 Renew the VM Trust Certificates

If your KMS certificate is expired, the connection status might change, and VMware shows an error as Not Connected.

error screen.png

Figure 17: Error Screen

Perform the following steps to renew the VM trust certificates:

  1. Log in to the vSphere Client and navigate to Configure tab.
  2. Locate and click the ESTABLISH TRUSTMake KMS trust vCenter option from the drop down menu.
  3. On the Make KMS Trust vCenter dialog box, perform the following:
    1. In the Choose a method tab, select the KMS certificate and private key radio button.
    2. Click the NEXT button.
    3. In the Upload KMS Credentials tab, upload the KMS certificate and KMS Private Key in the respective fields.
    4. Click the ESTABLISH TRUST button.
  4. Locate and click the ESTABLISH TRUSTMake vCenter Trust KMS option from the drop down menu.
  5. On the Make vCenter Trust KMS dialog box, verify the details and click the TRUST button to initiate the renewal of the KMS certificate.
    renew KMS certificate.png
    Figure 17: Renew KMS Certificate
  6. After the KMS certificate is updated, click the Trust button to confirm the updated KMS certificates in the prompted dialog box.
    trust button.png
    Figure 18: Trust Button
    image (3).png
    Figure 19: Connection Status
  7. If the KMS application certificate has expired, run the following OpenSSL command to generate the new certificate and private key using the same UUID of the app created in Section 4.2.1: Create an App:
    openssl req -newkey rsa:2048 -nodes -keyout renewsdkms.key -x509 -days 365 -out renewsdkms.crt
  8. Update the renewsdkms.crt to the Fortanix DSM app associated with VMware.
  9. Update the same renewsdkms.crt and renewsdkms.key certificates in VMware.
    image (2).png
    Figure 20: Upload the Certificates
  10. Click the ESTABLISH TRUST button.
    After the trust is established, the connection is updated as shown in the following figure:
    image.png
    Figure 21: Updated Connection Status
    For detailed information, refer to the Fortanix DSM VSAN KMIP demo.

8.1 Remove the Fortanix KMS

Perform the following steps to delete the Fortanix KMS from VMware:

  1. Select the VM machine from where the encryption needs to be removed.
  2. Navigate to the Summary tab, select the VM policiesEdit Storage Policies option from the nested menu.
    22.png
    Figure 22: VM Policies
  3. On the Edit VM Storage Policies page, select the Datastore Default from the drop down menu.
    23.png
    Figure 23: Datastore Default
  4. Click the OK button to confirm the action.

The datastore is reconfigured and the VM is un-encrypted.
24.png
Figure 24: Select Encryption

9.2 Migrate the Virtual Machine Disk File

This section illustrates the following steps to effectively migrate a Virtual Machine Disk (VMDK) file from one vCenter to another, ensuring consistency in KMS settings and seamless restoration with key retrieval from the Fortanix KMS.

Perform the following steps:

  1. Locate and copy the VMDK file from the datastore or storage associated with vCenter 1.
  2. Reconfigure the vCenter 2 with the same KMS Name, Endpoint and Certificate at vCenter 2.
    25.png
    Figure 25: Reconfigure the vCenter
  3. Paste the copied VMDK file into the datastore or storage of vCenter 2.
    26.png
    Figure 26: Edit Key Provider
  4. After restoring the VMDK file in vCenter 2, the key will be automatically fetched from the Fortanix KMS.

Comments

Please sign in to leave a comment.

Was this article helpful?
2 out of 2 found this helpful