Using Fortanix Self-Defending KMS as a KMS to secure VMware virtual environments

Overview

The following instructions describe how to set up Fortanix Self-Defending KMS as a KMS server in vSphere from the vSphere Web Client. There are two proven ways of establishing trust/authenticate vSphere to Fortanix Self-Defending KMS:

• Using API Keys
• Using Certificates

Once set up, Fortanix Self-Defending KMS can be used for both vSphere VM encryption and VSAN encryption.

Prerequisites

Create a Fortanix Self-Defending KMS account.

Create a Fortanix Self-Defending KMS App for VMware

Inside the Fortanix Self-Defending KMS account, go to the Applications tab and create a new Fortanix Self-Defending KMS app. For the “Interface” field choose “KMIP” and for the “Authentication method” option choose “API key”. Click “Save” and after reviewing click “Finish”.

Obtain App Credentials

Go back to the “Applications” page and click VIEW CREDENTIALS of the app you just created. Then, click the USERNAME/PASSWORD tab as shown below.

Configuring KMS in vCenter Using Password

Go to the “Key Management Servers” page in the vSphere Web Client and click + Add KMS. Fill in the required information on the KMS server. In the User name and Password fields paste the values from the previous step.

After clicking OK the “Connection Status” column should show “Normal” and the “Certificate Status” column should show a green check with the expiration date of the certificate.

Establishing Trust with Fortanix Self-Defending KMS

After adding the Fortanix Self-Defending KMS KMS server in the VSphere Web Client it is necessary to establish trust with the server. In the “Key Management Servers” page click Establish trust with KMS and select Certificate. If desired, save the Certificate and then click OK.

A second green check should appear in the “Certificate Status” column of the KMS cluster.

Fortanix Self-Defending KMS is ready for use with VSAN encryption and vSphere VM encryption.

Configuring KMS in vCenter using Client Certificate

1. To generate a client certificate, use OpenSSL, and create a new key+cert with CN=FORTANIX_APP_UUID.
   
   Figure 7: Note the App UUID
    

   $ export FORTANIX_APP_UUID=ce59838b-1d24-49a7-9fb1-011adbc891e6
   
   $ openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 \
      -days 365 -out certificate.crt -subj \
      "/C=US/ST=California/L=Mountain View/O=Fortanix, Inc./OU=SE/CN=$FORTANIX_APP_UUID"

2. Import the vCenter Certificate into the Fortanix Self-Defending KMS App.
    
   Figure 8: Upload certificate for authenticating app
   
   Figure 9: Upload certificate for authenticating app
    
3. Create a new Fortanix Self-Defending KMS Cluster, make it DEFAULT, and make sure the fields User name and Password are empty.
   Figure 10: Create new cluster
    

Establishing Trust with Fortanix Self-Defending KMS

1. To import the key+cert to vSphere click Establish Trust > Make KMS trust vCenter > KMS Certificate and Private Key.
   Figure 11: Initiate importing cert and private key
    
   1. Import the certificate and private key and establish trust.
      Figure 12: importing cert and private key 
2. Create a VM and select the default VM Encryption Policy and enable Home/Disk encryption.
   Figure 13: Create a VM 
3. The VM is successfully created.
   Figure 14: VM created 
4. Log in to Fortanix Self-Defending KMS to see the logs of the connection that captures all the crypto operations performed by the application and the key created as well.
   Figure 15: Audit logs showing crypto operations
    
   Figure 16: Key created