Using Fortanix Data Security Manager as a KMS to Secure VMware Virtual Environments

1.0 Introduction

This article provides step-by-step instructions for configuring Fortanix-Data-Security-Manager (DSM) as a Key Management Server (KMS) in vSphere using the vSphere Web Client. Establishing trust and authenticating vSphere to Fortanix DSM can be achieved through certificates. This method ensures secure communication between vSphere and Fortanix DSM, enabling various encryption functionalities such as vSphere Virtual Machine (VM) encryption and Virtual Storage Area Network (VSAN) encryption.

2.0 Product Versions Tested

The following product versions were tested:

• Fortanix DSM version 4.32.

• VMware vSphere version 8.0 U3

3.0 Prerequisites

Before proceeding, ensure the following:

• Fortanix DSM version 4.32 or later.

• A Fortanix DSM account is created. For more information, refer to User's Guide: Getting Started with Fortanix DSM - UI.

• VMware vSphere version 7.0 U3 or later.

4.0 Create a Fortanix DSM Application for VMware

There are two ways to configure Fortanix DSM for VMware encryption.

• Method 1: Installation through VMware wizard

• Method 2: Manual installation

4.1 Method 1: Installation Through VMware Wizard

4.1.1 Create an VMware Instance

Perform the following steps to create an application (app) using the VMware wizard in Fortanix DSM SaaS:

1. Sign up at https://smartkey.io/ to access DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.

2. Log in to the Fortanix DSM user interface (UI) and click the Integrations menu item from the left panel.

3. On the Integrations page, search the VMware wizard and click the ADD INSTANCE button.

4. On the Add Instance page, enter the following details:

   • Instance Name: Enter the required name to identify the instance created.

   • Authentication method: Select either of the following option:

     • API Key: Select this option to authenticate the application with the API Gateway.

     • Client Certificate: Select this option to authenticate the application with the Client Certificate.

       • If you select this option, the UPLOAD CERTIFICATE field is enabled on the UI screen. Click the UPLOAD CERTIFCATE option to upload the certificate file from your system or paste the content of the certificate in the provided space.

         NOTE

         Since you do not have a certificate, you must select the API key option as the authentication method to capture the UUID of the app.

         

5. Click the SAVE INSTANCE button. This action will automatically create an instance, a new group and app within the Fortanix DSM.

4.1.2 Update the App Configuration

Perform the following steps to update the authentication method of the app created in the previous section to certificate authentication method:

1. Navigate to the Integrations menu item → VMware wizard → VMware instances table.

2. Under the Credentials column in the table, click the VIEW API KEY DETAILS button.

3. In the View credential dialog box, navigate to the USERNAME/PASSWORD tab and copy the Username (app UUID). This will be used in Section 5.0: Configure KMS in vCenter Using Client Certificate.

4. Generate a client certificate as mentioned in Step 1 in Section 4.2.6: Generating the Certificate.

5. Navigate to the Apps menu item → Apps table. Click the app created in previous section.

6. In the detailed view of the app, click the Change authentication method button and select the Certificate option from the drop down menu.

7. Click the SAVE button.

8. In the Add certificate dialog box, perform the following:

   1. Click the UPLOAD CERTIFCATE option to upload the certificate file from your system or paste the content of the certificate in the provided space as created in Step 4.

   2. Update the Expiration Setting (Optional).

   3. Read and select the both the check boxes to confirm your understanding.

9. Click the UPDATE button to keep the changes.

4.1.3 VMware Wizard Instance Detailed View

Navigate to the Integrations menu item → VMware wizard → VMware instances table. In the instance detailed view page, the following information is represented:

• Credentials: Indicates the method used for app authentication.

  • Click the CERTIFICATE button to download the Client Certificate. This is applicable only if the app authentication method is Client Certificate.

  • Click the COPY API KEY button to view the details of API key, such as username and password. This is applicable only if the app authentication method is API Key.

• Manage Keys: Click the MANAGE button to oversee the keys created.

• Instance status: To disable the created instance, toggle the Disabled option.

• DELETE: To delete the instance, click the overflow menu (three dots) and select the DELETE option. Note that deleting an instance will result in the removal of the app, group, and all security objects associated with the instance, rendering all key material inaccessible.

4.2 Method 2: Manual Installation

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.2.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

4.2.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

4.2.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Interface (optional): Select the REST API option as interface type from the drop down menu.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 4.2.3: Creating a Group from the list.

3. Click the SAVE button to add the new application.

The new application has been added to the Fortanix DSM successfully.

4.2.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in Section 4.2.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. Click the USERNAME/PASSWORD tab.

4. From the Credentials Details dialog box, copy the Username (app UUID) and Password to be used in Section 4.2.6: Generating the Certificate as the value of Common Name (CN) to generate a self-signed certificate or private key.

4.2.6 Generating the Certificate

Perform the following steps to generate a self-signed certificate or CA certificate such that the CN contains the app UUID:

1. Run the following command to generate a client certificate and create a new key+cert with CN=FORTANIX_APP_UUID:

   openssl req -newkey rsa:2048 -nodes -keyout sdkms.key -x509 -days 365 -out sdkms.crt

   Ensure to update certificate parameters like country, state, organization, so on, and ensure that the common name (CN) is set to the Fortanix app UUID.

   

4.2.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 4.2.4: Creating an Application and click the Change the authentication method button and select the Certificate option to change the authentication method to Certificate.

2. Click the SAVE button.

3. On the Add certificate dialog box, click the UPLOAD NEW CERTIFICATE button to upload the certificate file or paste the content of the certificate generated in the previous section.

4. Select both the check boxes to confirm your understanding about the action.

5. Click the UPDATE button to save the changes.

5.0 Configuring KMS in vCenter Using Certificate

5.1 Configure Fortanix DSM in vCenter

You can configure Fortanix DSM as an external KMS in vCenter using the vSphere Client UI.

1. Log in to vCenter using vSphere Client UI.

2. Navigate to the required project → Configure tab → Key Providers option.  

   

3. In the Key Management ADD STANDARD KEY PROVIDER form, enter the following details:

   • Name: Name of KMS - DSM

   • Address: Either the IP address or URL of the Fortanix DSM cluster you are using, for example: SaaS customers can use the following URLs based on the region.

     • Europe: eu.smartkey.io

     • APAC: apac.smartkey.io

     • United States of America: amer.smartkey.io

   • Port: 5696

   • Username: to be left blank

   • Password: to be left blank

     

4. Click the Add Key Provider button.

5. Click the Establish Trust → Make vCenter Trust KMS to establish trust between Fortanix DSM and vCenter. Click the TRUST button.

   

5.2 Uploading the Client Certificate

Perform the following steps to upload the client certificate:

1. Copy or upload the vCenter Certificate in the Upload certificate text box for the Fortanix DSM app and save the details, generated in Section 4.2.6: Generating the Certificate.

2. Log in to the vSphere Client and navigate to Configure tab.

3. Create a new Key Management Service:

   • make it DEFAULT

   • ensure the fields User name and Password are empty.  

     

5.3 Establishing Trust with Fortanix DSM

Perform the following steps to import the key+cert to vSphere.

1. Navigate to the ESTABLISH TRUST tab, select the Make KMS trust vCenter option.

2. In the Choose a method section, select the method as KMS Certificate and Private Key and click the NEXT button.  

   

3. In the Establish Trust section, click the UPLOAD A FILE button to import the certificate and private key. Click the ESTABLISH TRUST option.

   

6.0 Set Up Encrypted VM

Perform the following steps to configure the encrypted VM:

1. Create a VM and select the default VM Encryption Policy.  

   

2. Click the FINISH button to finalize the VM creation process.  

   

3. Log in to Fortanix DSM to review the logs to monitor the connection, capturing all cryptographic operations performed by the application and any associated key creations.  

   

   

6.1 Rotate or Re-encrypt the Keys

In the ever-changing landscape of cybersecurity, the regular rotation and re-encryption of keys are essential to upholding the integrity and security of sensitive data within VMware vSphere 7.0.

Rotating keys involves periodic updates to the cryptographic keys used for encryption, authentication, and other security processes. This proactive approach mitigates the risk of prolonged exposure to potential vulnerabilities. In VMware vSphere 7.0, the seamless rotation of keys ensures that cryptographic materials remain resilient against emerging threats.

Re-encrypting keys is a complementary process that enhances the overall security posture. By periodically updating encryption algorithms or re-encrypting data with stronger cryptographic standards, the defence against evolving cyber threats is fortified. This measure aligns with a commitment to staying ahead of the curve and maintaining the highest standards of data protection.

Implementing a robust key management strategy within VMware vSphere 7.0 demonstrates dedication to cybersecurity best practices. This approach not only safeguards digital assets but also instills confidence in stakeholders, assuring them that top-notch security protocols are adhered to in today's interconnected and dynamic business environment.

Perform the following steps to rotate or re-encrypt the keys in vSphere Client:

1. Select the target VM for the key rotation procedure.

   

2. Click the Re-Encrypt option to generate a new key within the Fortanix KMS. The virtual machine then re-encrypts using a new key obtained from the current cluster's default key provider.

3. After the re-encryption process is completed, a newly generated key is added to the KMS interface.

   

7.0 Renew the VM Trust Certificates

If your KMS certificate is expired, the connection status might change, and VMware shows an error as Not Connected.

Perform the following steps to renew the VM trust certificates:

1. Log in to the vSphere Client and navigate to Configure tab.

2. Locate and click the ESTABLISH TRUST → Make KMS trust vCenter option from the drop down menu.

3. On the Make KMS Trust vCenter dialog box, perform the following:

   1. In the Choose a method tab, select the KMS certificate and private key radio button.

   2. Click the NEXT button.

   3. In the Upload KMS Credentials tab, upload the KMS certificate and KMS Private Key in the respective fields.

   4. Click the ESTABLISH TRUST button.

4. Locate and click the ESTABLISH TRUST → Make vCenter Trust KMS option from the drop down menu.

5. On the Make vCenter Trust KMS dialog box, verify the details and click the TRUST button to initiate the renewal of the KMS certificate.

   

6. After the KMS certificate is updated, click the Trust button to confirm the updated KMS certificates in the prompted dialog box.

   

   

7. If the KMS application certificate has expired, run the following OpenSSL command to generate the new certificate and private key using the same UUID of the app created in Section 4.2.4: Create an Application:

   openssl req -newkey rsa:2048 -nodes -keyout renewsdkms.key -x509 -days 365 -out renewsdkms.crt

8. Update the renewsdkms.crt to the Fortanix DSM app associated with VMware.

9. Update the same renewsdkms.crt and renewsdkms.key certificates in VMware.

   

10. Click the ESTABLISH TRUST button.
    After the trust is established, the connection is updated as shown in the following figure:

    

    For detailed information, refer to the Fortanix DSM VSAN KMIP demo.

7.1 Remove the Fortanix KMS

Perform the following steps to delete the Fortanix KMS from VMware:

1. Select the VM machine from where the encryption needs to be removed.

2. Navigate to the Summary tab, select the VM policies → Edit Storage Policies option from the nested menu.

   

3. On the Edit VM Storage Policies page, select the Datastore Default from the drop down menu.

   

4. Click the OK button to confirm the action.

The datastore is reconfigured and the VM is un-encrypted.

7.2 Migrate the Virtual Machine Disk File

This section illustrates the following steps to effectively migrate a Virtual Machine Disk (VMDK) file from one vCenter to another, ensuring consistency in KMS settings and seamless restoration with key retrieval from the Fortanix KMS.

Perform the following steps:

1. Locate and copy the VMDK file from the datastore or storage associated with vCenter 1.

2. Reconfigure the vCenter 2 with the same KMS Name, Endpoint and Certificate at vCenter 2.

   

3. Paste the copied VMDK file into the datastore or storage of vCenter 2.

   

4. After restoring the VMDK file in vCenter 2, the key will be automatically fetched from the Fortanix KMS.

7.3 Virtual Trusted Platform Module with Fortanix DSM

A Virtual Trusted Platform Module (vTPM) is a software version of a hardware TPM, a chip designed to enhance hardware security using integrated cryptographic keys. In VMware environments, vTPM offers the same security features for virtual machines (VMs) that physical TPMs provide for physical machines, enhancing VM security with encryption, secure boot, and other advanced security capabilities.

7.3.1 Key Benefits

• Enhanced Security: vTPM boosts VM security with features like measured boot, ensuring the VM starts in a trusted state.

• Compliance: vTPM aids in meeting security compliance requirements that mandate TPM use.

• Encryption Support: vTPM supports full-disk encryption and other cryptographic operations.

• Platform Integrity: vTPM maintains the integrity of the virtual platform by validating the boot process and safeguarding sensitive data.

7.3.2 Setting Up vTPM in VMware

1. VMware vSphere Prerequisites:

   • vSphere Version: vSphere 6.7 or later must be installed.

   • ESXi Host: Virtual hardware version 14 or later must be supported.

2. Prerequisites for configuring vTPM:

   • Firmware: Set the VM's firmware to UEFI.

   • Key Management: Optionally, configure key management services (KMS) for key handling and encryption operations.

3. Enabling vTPM:

   1. Create a new VM or power off an existing VM.

   2. In the vSphere Client window, right-click the VM and select the Edit Settings option.

   3. Navigate to the Virtual Hardware tab, click the ADD NEW DEVICE option, and select the Trusted Platform Module option from the drop down menu.

      

   4. Click the OK button to save the settings and turn on the VM.

   5. After adding vTPM and powering on the VM, review the key in Fortanix Key Management. To view the details about the key, log into the Fortanix DSM UI and navigate to Security Objects menu item → select the required key → ATTRIBUTES/TAGS tab.  

      

      

8.0 Troubleshooting and Support