Using Fortanix Data Security Manager for VMware Cloud Director

Introduction

This article describes how to use Fortanix Data Security Manager (DSM) for VM encryption through VMware Cloud Director. It also contains the information that a user requires for:

• Facilitating the communication and authentication between Fortanix DSM and vCenter using KMIP interface
• Setting up Fortanix DSM.
• Exposing VM Encryption storage policy to tenants
• Enabling VM Encryption storage policy for VM encryption

KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the vCentre and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authentication a KMIP client to successfully create, retrieve and use the keys stored inside Fortanix DSM.

Prerequisites

• vCenter connected to Cloud Director 10.0 or later is installed and operational
• Fortanix DSM version 3.20 or later
• Fortanix DSM is installed and operational, and is accessible by the vCentre on port 5696 (for default) or custom KMIP port

Considerations

The following are some key points to understanding the Fortanix DSM for VM encryption:

• The VMs needs to be power off to apply the VM encryption storage policy.
• vCenter supports only one (1) external KMS at a time, and the IP address of the KMS cannot be altered once configured.

Setting Up Fortanix Data Security Manager

Fortanix DSM supports KMIP clients to authenticate using a certificate through Apps.

Configure App in Fortanix Data Security Manager

1. Log in to the Fortanix DSM UI.
2. Click the Application icon , and then click  to create a new application.
3. Enter the following details:
   • App name: This is the name to authenticate Fortanix DSM with vCentre
   • Interface: KMIP
   • Authentication method: The default value of API Key is fine.
   • Assigning the new app to groups: Keys created by vCenter will be owned by this Group. Figure 1: Create App

Configure vCenter Key Management Settings

You may configure Fortanix DSM as an external KMS in vCenter using the vSphere Client UI.

Configure Fortanix Data Security Manager in vCenter

1. Log in to vCenter using vSphere Client UI.
2. Navigate to Configure -> Key Providers. Figure 2: vSphere Client UI 
3. In the Key Management ADD STANDARD KEY PROVIDER form, enter the following details:
   • Name: Name of KMS - SDKMS
   • Address: Fortanix DSM IP address. In this case, sdkms.fortanix.com
   • Port: 5696
   • Username: Copy the value from Fortanix DSM App
   • Password: Copy the value from Fortanix DSM App Figure 3: Key Management configuration details  Figure 4: Username and Password from Data Security Manager  Figure 5: Key Management configuration details 
4. Click Add Key Provider.
5. Establish trust between Fortanix DSM and vCentre by clicking Establish Trust -> Make vCenter Trust KMS. Click TRUST. Figure 6: Establish Trust

Expose VM Encryption Policy to Tenants

As a service provider, make sure you exposed the VM encryption storage policy to the tenants.

1. Log in to the VMware Cloud Director provider portal.
2. Click Organization VDCs and enable VM encryption policy for the organization. Figure 7: Enable VM Encryption Policy 

Tenants Apply VM Encryption Storage Policy to VM

The tenants can apply the VM encryption storage policy to the VM(s) they want to encrypt.

1. The Tenants can log in to the VMware Cloud Director tenant portal.
2. Click the VM that needs to be encrypted. Make sure that the VM is powered off. Figure 8: Tenant Portal 
3. Apply VM Encryption storage policy to the VM.
   
                 Figure 9: Apply VM Encryption Policy
     Figure 10: VM Encryption Policy

Verification of Fortanix Data Security Manager

Service providers can log in to Fortanix DSM to see the logs of the connection and the key created as well.