Using Fortanix Data Security Manager for VMware Cloud Director

Introduction

This article describes how to use Fortanix Data Security Manager (DSM) for VM encryption through VMware Cloud Director. It also contains the information that a user requires for:

  • Facilitating the communication and authentication between Fortanix DSM and vCenter using KMIP interface
  • Setting up Fortanix DSM.
  • Exposing VM Encryption storage policy to tenants
  • Enabling VM Encryption storage policy for VM encryption

KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the vCentre and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authentication a KMIP client to successfully create, retrieve and use the keys stored inside Fortanix DSM.

Prerequisites

  • vCenter connected to Cloud Director 10.0 or later is installed and operational
  • Fortanix DSM version 3.20 or later
  • Fortanix DSM is installed and operational, and is accessible by the vCentre on port 5696 (for default) or custom KMIP port

Considerations

The following are some key points to understanding the Fortanix DSM for VM encryption:

  • The VMs needs to be power off to apply the VM encryption storage policy.
  • vCenter supports only one (1) external KMS at a time, and the IP address of the KMS cannot be altered once configured.

Setting Up Fortanix Data Security Manager

Fortanix DSM supports KMIP clients to authenticate using a certificate through Apps.

Configure App in Fortanix Data Security Manager

  1. Log in to the Fortanix DSM UI.
  2. Click the Application icon App.png, and then click create.png to create a new application.
  3. Enter the following details:
    • App name: This is the name to authenticate Fortanix DSM with vCentre
    • Interface: KMIP
    • Authentication method: The default value of API Key is fine.
    • Assigning the new app to groups: Keys created by vCenter will be owned by this Group. CreateApp.png
      Figure 1: Create App

Configure vCenter Key Management Settings

You may configure Fortanix DSM as an external KMS in vCenter using the vSphere Client UI.

Configure Fortanix Data Security Manager in vCenter

  1. Log in to vCenter using vSphere Client UI.
  2. Navigate to Configure -> Key Providers. ClientUI.png
    Figure 2: vSphere Client UI
     
  3. In the Key Management ADD STANDARD KEY PROVIDER form, enter the following details:
    • Name: Name of KMS - SDKMS
    • Address: Fortanix DSM IP address. In this case, sdkms.fortanix.com
    • Port: 5696
    • Username: Copy the value from Fortanix DSM App
    • Password: Copy the value from Fortanix DSM App KMS_Config_Details1.png
      Figure 3: Key Management configuration details
        UserNameSDKMS.png
      Figure 4: Username and Password from Data Security Manager
        KMS_Config_Details2.png
      Figure 5: Key Management configuration details
       
  4. Click Add Key Provider.
  5. Establish trust between Fortanix DSM and vCentre by clicking Establish Trust -> Make vCenter Trust KMS. Click TRUST. TrustKMS.png
    Figure 6: Establish Trust

Expose VM Encryption Policy to Tenants

As a service provider, make sure you exposed the VM encryption storage policy to the tenants.

  1. Log in to the VMware Cloud Director provider portal.
  2. Click Organization VDCs and enable VM encryption policy for the organization. VMEncryptionPolicy.png
    Figure 7: Enable VM Encryption Policy 

Tenants Apply VM Encryption Storage Policy to VM

The tenants can apply the VM encryption storage policy to the VM(s) they want to encrypt.

  1. The Tenants can log in to the VMware Cloud Director tenant portal.
  2. Click the VM that needs to be encrypted. Make sure that the VM is powered off. TenantPortal.png
    Figure 8: Tenant Portal 
     
  3. Apply VM Encryption storage policy to the VM. VMEncryptionPolicy2.png
                  Figure 9: Apply VM Encryption Policy
      VMEncryptionPolicy1.png
    Figure 10: VM Encryption Policy

Verification of Fortanix Data Security Manager

Service providers can log in to Fortanix DSM to see the logs of the connection and the key created as well. ConnectionLogs.png

Figure 11: Connection logs

  Encryptionkey.png

Figure 12: Encryption key created

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful