Using Fortanix Data Security Manager as a KMS to secure VMware virtual environments

Overview

The following instructions describe how to set up Fortanix Data Security Manager (DSM) as a KMS server in vSphere from the vSphere Web Client. There are two proven ways of establishing trust/authenticate vSphere to Fortanix DSM:

• Using API Keys
• Using Certificates

Once set up, Fortanix DSM can be used for both vSphere VM encryption and VSAN encryption.

Prerequisites

Create a Fortanix Data Security Manager account.

Create a Fortanix Data Security Manager App for VMware

Inside the Fortanix DSM account, go to the Applications tab and create a new Fortanix DSM app. For the “Interface” field choose “KMIP” and for the “Authentication method” option choose “API key”. Click “Save” and after reviewing click “Finish”.

Obtain App Credentials

Go back to the “Applications” page and click VIEW CREDENTIALS of the app you just created. Then, click the USERNAME/PASSWORD tab as shown below.

Configuring KMS in vCenter Using Password

Go to the “Key Management Servers” page in the vSphere Web Client and click + Add KMS. Fill in the required information on the KMS server. In the User name and Password fields paste the values from the previous step.

After clicking OK the “Connection Status” column should show “Normal” and the “Certificate Status” column should show a green check with the expiration date of the certificate.

Establishing Trust with Fortanix Data Security Manager

After adding the Fortanix DSM KMS server in the VSphere Web Client it is necessary to establish trust with the server. In the “Key Management Servers” page click Establish trust with KMS and select Certificate. If desired, save the Certificate and then click OK.

A second green check should appear in the “Certificate Status” column of the KMS cluster.

Fortanix DSM is ready for use with VSAN encryption and vSphere VM encryption.

Configuring KMS in vCenter using Client Certificate

1. To generate a client certificate, use OpenSSL, and create a new key+cert with CN=FORTANIX_APP_UUID.
   
   Figure 7: Note the App UUID
    

   $ export FORTANIX_APP_UUID=ce59838b-1d24-49a7-9fb1-011adbc891e6
   
   $ openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 \
      -days 365 -out certificate.crt -subj \
      "/C=US/ST=California/L=Mountain View/O=Fortanix, Inc./OU=SE/CN=$FORTANIX_APP_UUID"

2. Import the vCenter Certificate into the Fortanix DSM App.
    
   Figure 8: Upload certificate for authenticating app
   
   Figure 9: Upload certificate for authenticating app
    
3. Create a new Fortanix DSM Cluster, make it DEFAULT, and make sure the fields User name and Password are empty.
   Figure 10: Create new cluster
    

Establishing Trust with Fortanix Data Security Manager

1. To import the key+cert to vSphere click Establish Trust > Make KMS trust vCenter > KMS Certificate and Private Key.
   Figure 11: Initiate importing cert and private key
    
   1. Import the certificate and private key and establish trust.
      Figure 12: importing cert and private key 
2. Create a VM and select the default VM Encryption Policy and enable Home/Disk encryption.
   Figure 13: Create a VM 
3. The VM is successfully created.
   Figure 14: VM created 
4. Log in to Fortanix DSM to see the logs of the connection that captures all the crypto operations performed by the application and the key created as well.
   Figure 15: Audit logs showing crypto operations
    
   Figure 16: Key created