Using Fortanix Data Security Manager as a KMS to secure VMware virtual environments

  • Last updated:
  • access_time Reading time:

Overview

The following instructions describe how to set up Fortanix Data Security Manager (DSM) as a KMS server in vSphere from the vSphere Web Client. There are two proven ways of establishing trust/authenticate vSphere to Fortanix DSM:

  • Using API Keys
  • Using Certificates

Once set up, Fortanix DSM can be used for both vSphere VM encryption and VSAN encryption.

Prerequisites

Create a Fortanix Data Security Manager account.

Create a Fortanix Data Security Manager App for VMware

Inside the Fortanix DSM account, go to the Applications tab and create a new Fortanix DSM app. For the “Interface” field choose “KMIP” and for the “Authentication method” option choose “API key”. Click “Save” and after reviewing click “Finish”.

1.1.png

Figure 1: Create an app

Obtain App Credentials

Go back to the “Applications” page and click VIEW CREDENTIALS of the app you just created. Then, click the USERNAME/PASSWORD tab as shown below.

2.png

Figure 2: Obtain app credentials

Configuring KMS in vCenter Using Password

Go to the “Key Management Servers” page in the vSphere Web Client and click + Add KMS. Fill in the required information on the KMS server. In the User name and Password fields paste the values from the previous step.

add_kms

Figure 3: Add KMS in vCenter

After clicking OK the “Connection Status” column should show “Normal” and the “Certificate Status” column should show a green check with the expiration date of the certificate.

after_add_kms

Figure 4: KMS added

Establishing Trust with Fortanix Data Security Manager

After adding the Fortanix DSM KMS server in the VSphere Web Client it is necessary to establish trust with the server. In the “Key Management Servers” page click Establish trust with KMS and select Certificate. If desired, save the Certificate and then click OK.

establish_trust

Figure 5: Establishing trust with KMS

A second green check should appear in the “Certificate Status” column of the KMS cluster.

after_trust

Figure 6:Trust established with KMS

Fortanix DSM is ready for use with VSAN encryption and vSphere VM encryption.

Configuring KMS in vCenter using Client Certificate

  1. To generate a client certificate, use OpenSSL, and create a new key+cert with CN=FORTANIX_APP_UUID.
    Vmware-KMS1.png
    Figure 7: Note the App UUID
     
    $ export FORTANIX_APP_UUID=ce59838b-1d24-49a7-9fb1-011adbc891e6

    $ openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 \
       -days 365 -out certificate.crt -subj \
       "/C=US/ST=California/L=Mountain View/O=Fortanix, Inc./OU=SE/CN=$FORTANIX_APP_UUID"
  2. Import the vCenter Certificate into the Fortanix DSM App.
      Vmware-KMS2.png
    Figure 8: Upload certificate for authenticating app

    Vmware-KMS3.png
    Figure 9: Upload certificate for authenticating app
     
  3. Create a new Fortanix DSM Cluster, make it DEFAULT, and make sure the fields User name and Password are empty. Vmware-KMS-4.png
    Figure 10: Create new cluster
     

Establishing Trust with Fortanix Data Security Manager

  1. To import the key+cert to vSphere click Establish Trust > Make KMS trust vCenter > KMS Certificate and Private Key. Vmware-KMS5.png
    Figure 11: Initiate importing cert and private key
     
    1. Import the certificate and private key and establish trust.Vmware-KMS6.png
      Figure 12: importing cert and private key
       
  2. Create a VM and select the default VM Encryption Policy and enable Home/Disk encryption. Vmware-KMS7.png
    Figure 13: Create a VM
     
  3. The VM is successfully created. Vmware-KMS8.png
    Figure 14: VM created
     
  4. Log in to Fortanix DSM to see the logs of the connection that captures all the crypto operations performed by the application and the key created as well. Vmware-KMS9.1.png
    Figure 15: Audit logs showing crypto operations

      Vmware-KMS10.png
    Figure 16: Key created