Using Fortanix Data Security Manager as a KMS to secure VMware virtual environments

1.0 Overview

The following instructions describe how to set up Fortanix Data Security Manager (DSM) as a KMS server in vSphere from the vSphere Web Client. There are two proven ways of establishing trust/authenticate vSphere to Fortanix DSM:

• Using API Keys
• Using Certificates

Once set up, Fortanix DSM can be used for both vSphere VM encryption and VSAN encryption.

2.0 Prerequisites

Create a Fortanix Data Security Manager account.

3.0 Create a Fortanix Data Security Manager App for VMware

There are two ways to configure Fortanix DSM for VMware encryption

3.1 Using Fortanix DSM SaaS Deployment

To create an app using the VMware wizard in Fortanix DSM SaaS:

1. Sign up at https://smartkey.io/.
2. Log in to the Fortanix DSM UI.
3. Click the Integrations tab in the left panel.
4. On the Integrations page, click ADD INSTANCE on the VMware wizard.
5. Enter the details as shown in the screenshot below:
   Figure 1: Add instance
   1. Add Instance: This is the name to identify the instance created.
   2. Authentication method: Select the desired authentication method. There are two options to choose from:
      1. API key: This method is used to authenticate the application with the API Gateway.
      2. Client Certificate: This method is used to authenticate the application with Fortanix DSM using a Client Certificate. To upload the client certificate, click UPLOAD CERTIFICATE. Alternatively, the client certificate can be pasted in the field provided.
6. Continue to Step 1 and Step 2 in Section 6.0 for authentication using the client certificate.
7. Click SAVE INSTANCE. With saving an instance a new Group, an App, and Keys are created within Fortanix DSM.

3.1.1 VMware Wizard Instance Detailed View

In the instance detailed view page, the created instances are listed as shown below:
Figure 2: Detailed instance

In the instance details you will notice the following:

• Credentials: This is the App authentication method used.
  • Click CERTIFICATE to download the Client Certificate. This is applicable only if the App authentication method used is a Client Certificate.
  • Click COPY API KEY to copy the API key. This is applicable only if the App authentication method used is API Key.
• MANAGE: Click MANAGE to manage the keys created.
• Instance status: To disable the instance created, click the toggle Disabled. 

1. To delete the instance created click the button. Note that deleting an instance will delete the App, Group, and all security objects belonging to the instance and all key material will become inaccessible.

3.2 Using Fortanix DSM On-Premises Deployments

1. Inside the Fortanix DSM account, go to the Applications tab and create a new Fortanix DSM app.
2. In the Adding new app form for the Interface field choose KMIP and for the Authentication method option choose API key.
   Figure 3: Create App
3. Save the app and copy the App UUID. Figure 3: Copy the App UUID
4. Change the authentication method of the Fortanix DSM App created to ‘Certificate’ and click SAVE.
5. Continue to Step 1 and Step 2 in Section 6.0 for authentication using the client certificate.
6. Click UPDATE to update the authentication method.

4.0 Obtain App Credentials

Go back to the “Applications” page and click VIEW CREDENTIALS of the app you just created. Then, click the USERNAME/PASSWORD tab as shown below.

Figure 4: Obtain app credentials

5.0 Configuring KMS in vCenter Using Password

Go to the “Key Management Servers” page in the vSphere Web Client and click + Add KMS. Fill in the required information on the KMS server. In the User name and Password fields paste the values from the previous step.

Figure 5: Add KMS in vCenter

After clicking OK the “Connection Status” column should show “Normal” and the “Certificate Status” column should show a green check with the expiration date of the certificate.

Figure 6: KMS added

5.1 Establishing Trust with Fortanix Data Security Manager

After adding the Fortanix DSM KMS server to the VSphere Web Client it is necessary to establish trust with the server. In the “Key Management Servers” page click Establish trust with KMS and select Certificate. If desired, save the Certificate and then click OK.

Figure 7: Establishing trust with KMS

A second green check should appear in the “Certificate Status” column of the KMS cluster.

Figure 8:Trust established with KMS

Fortanix DSM is ready for use with VSAN encryption and vSphere VM encryption.

6.0 Configuring KMS in vCenter using Client Certificate

1. To generate a client certificate, use OpenSSL, and create a new key+cert with CN=FORTANIX_APP_UUID.

   $ export FORTANIX_APP_UUID=ce59838b-1d24-49a7-9fb1-011adbc891e6
   
   $ openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 \
      -days 365 -out certificate.crt -subj \
      "/C=US/ST=California/L=Mountain View/O=Fortanix, Inc./OU=SE/CN=$FORTANIX_APP_UUID"

2. Copy or upload the vCenter Certificate in the Upload certificate text box for the Fortanix DSM app and save the details.
3. Create a new Fortanix DSM Cluster, make it DEFAULT, and make sure the fields User name and Password are empty.
   Figure 12: Create new cluster

6.1 Establishing Trust with Fortanix Data Security Manager

1. To import the key+cert to vSphere click Establish Trust > Make KMS trust vCenter > KMS Certificate and Private Key. Figure 13: Initiate importing cert and private key
   1. Import the certificate and private key and establish trust. Figure 14: importing cert and private key
2. Create a VM and select the default VM Encryption Policy and enable Home/Disk encryption. Figure 15: Create a VM
3. The VM is successfully created. Figure 16: VM created
4. Log in to Fortanix DSM to see the logs of the connection that captures all the crypto operations performed by the application and the key created as well. Figure 17: Audit logs showing crypto operations Figure 18: Key created