This article describes how to use Fortanix Self-Defending Key Management Service (KMS) for VM encryption through VMware Cloud Director. It also contains the information that a user requires for:
- Facilitating the communication and authentication between Fortanix Self-Defending KMS and vCenter using KMIP interface
- Setting up Fortanix Self-Defending KMS.
- Exposing VM Encryption storage policy to tenants
- Enabling VM Encryption storage policy for VM encryption
KMIP and Certificate Requirements
The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the vCentre and Fortanix Self-Defending KMS. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix Self-Defending KMS also uses this to Authentication a KMIP client to successfully create, retrieve and use the keys stored inside Fortanix Self-Defending KMS.
- vCenter connected to Cloud Director 10.0 or later is installed and operational
- Fortanix Self-Defending KMS version 3.20 or later
- Fortanix Self-Defending KMS is installed and operational, and is accessible by the vCentre on port 5696 (for default) or custom KMIP port
The following are some key points to understanding the Fortanix Self-Defending KMS for VM encryption:
- The VMs needs to be power off to apply the VM encryption storage policy.
- vCenter supports only one (1) external KMS at a time, and the IP address of the KMS cannot be altered once configured.
Setting Up Fortanix Self-Defending KMS
Fortanix Self-Defending KMS supports KMIP clients to authenticate using a certificate through Apps.
Configure App in Fortanix Self-Defending KMS
- Log in to the Fortanix Self-Defending KMS UI.
- Click the Application icon , and then click to create a new application.
- Enter the following details:
- App name: This is the name to authenticate Fortanix Self-Defending KMS with vCentre
- Interface: KMIP
- Authentication method: The default value of API Key is fine.
- Assigning the new app to groups: Keys created by vCenter will be owned by this Group.
Figure 1: Create App
Configure vCenter Key Management Settings
You may configure Fortanix Self-Defending KMS as an external KMS in vCenter using the vSphere Client UI.
Configure Fortanix Self-Defending KMS in vCenter
- Log in to vCenter using vSphere Client UI.
- Navigate to Configure -> Key Providers.
Figure 2: vSphere Client UI
- In the Key Management ADD STANDARD KEY PROVIDER form, enter the following details:
- Name: Name of KMS - SDKMS
- Address: Fortanix Self-Defending KMS IP address. In this case, sdkms.fortanix.com
- Port: 5696
- Username: Copy the value from Fortanix Self-Defending KMS App
- Password: Copy the value from Fortanix Self-Defending KMS App
Figure 3: Key Management configuration details Figure 4: Username and Password from Self-Defending KMS Figure 5: Key Management configuration details
- Click Add Key Provider.
- Establish trust between Fortanix Self-Defending KMS and vCentre by clicking Establish Trust -> Make vCenter Trust KMS. Click TRUST.
Figure 6: Establish Trust
Expose VM Encryption Policy to Tenants
As a service provider, make sure you exposed VM encryption storage policy to the tenants.
- Log in to the VMware Cloud Director provider portal.
- Click Organization VDCs and enable VM encryption policy for the organization.
Figure 7: Enable VM Encryption Policy
Tenants Apply VM Encryption Storage Policy to VM
The tenants can apply the VM encryption storage policy to the VM(s) they want to encrypt.
- The Tenants can log in to the VMware Cloud Director tenant portal.
- Click the VM that needs to be encrypted. Make sure that the VM is powered off.
Figure 8: Tenant Portal
- Apply VM Encryption storage policy to the VM.
Figure 9: Apply VM Encryption Policy
Figure 10: VM Encryption Policy
Verification of Fortanix Self-Defending KMS
Service providers can log in to Fortanix Self-Defending KMS to see the logs of the connection and the key created as well.