The following instructions describe how to set up Self-Defending KMS as a KMS server in vSphere from the vSphere Web Client. Once setup, Self-Defending KMS can be used for both vSphere VM encryption and VSAN encryption.
Create a Self-Defending KMS account.
Create a Self-Defending KMS App for VMware
Inside the Self-Defending KMS account, go to the Applications tab and create a new Self-Defending KMS app. For the “Interface” field choose “KMIP” and for the “Authentication method” option choose “API key”. Click “Save” and after reviewing click “Finish”.
Obtain App Credentials
Go back to the “Applications” page and click “VIEW CREDENTIALS” of the app you just created. Then, click the “Username/Password” tab as shown below.
Configuring KMS in vCenter
Go to the “Key Management Servers” page in the vSphere Web Client and click “+ Add KMS”. Fill in the required information on the KMS server. In the “User name” and “Password” fields paste the values from the previous step.
After pressing OK the “Connection Status” column should show “Normal” and the “Certificate Status” column should show a green check with the expiration date of the certificate.
Establishing trust with Fortanix Self-Defending KMS
After adding the Self-Defending KMS KMS server in the VSphere Web Client it is necessary to establish trust with the server. In the “Key Management Servers” page click “Establish trust with KMS” and choose “Certificate”. If desired, save the Certificate and then click “OK”.
A second green check should appear in the “Certificate Status” column of the KMS cluster.
Self-Defending KMS is ready for use with VSAN encryption and vSphere VM encryption.