Using Fortanix Data Security Manager as a KMS to Secure VMware Virtual Environments

Prev Next

1.0 Introduction

This article provides step-by-step instructions for configuring Fortanix-Data-Security-Manager (DSM) as a Key Management Server (KMS) in vSphere using the vSphere Web Client. Establishing trust and authenticating vSphere to Fortanix DSM can be achieved through certificates. This method ensures secure communication between vSphere and Fortanix DSM, enabling various encryption functionalities such as vSphere Virtual Machine (VM) encryption and Virtual Storage Area Network (VSAN) encryption.

2.0 Product Versions Tested

The following product versions were tested:

  • Fortanix DSM version 4.32.

  • VMware vSphere version 8.0 U3

3.0 Prerequisites

Before proceeding, ensure the following:

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 1: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

5.0 Using SaaS Deployment

5.1 CREATE VMWARE INSTANCE

Perform the following steps to create an application (app) using the VMware wizard in Fortanix DSM SaaS:

  1. Sign up at https://smartkey.io/ to access DSM SaaS for the AMER region. DSM SaaS supports multiple regions, as listed here.

  2. In the DSM left navigation panel, click the Instances menu item, and then select the VMware Encryption and Key Management check box. Click ADD INSTANCE on the vmware wizard.

    Figure 2: Add vmware instance

  3. On the Add Instance page, do the following:

    1. Title: Enter a name for your instance.

    2. Authentication method: Select the API Key radio button.

      • The API Key option authenticates the application with the API Gateway.

      • The Client Certificate option authenticates the application with Fortanix DSM using a Client Certificate.

      NOTE

      Since you do not have a certificate, you must select the API key option as the authentication method to capture the UUID of the app.

    3. Set app secret key size: Select the application (app) key size from the available options in bytes.

  4. Click SAVE INSTANCE.

    Figure 3: Add instance

This action will automatically create an instance, a new group and app within the Fortanix DSM.

5.2 VMWARE WIZARD INSTANCE DETAILED VIEW

Navigate to the Integrations menu item → VMware wizard → VMware instances table. In the instance detailed view page, the following information is represented:

  • CREDENTIALS: Indicates the method used for app authentication.

    • Click CERTIFICATE to download the Client Certificate. This is applicable only if the app authentication method is Client Certificate.

    • Click COPY API KEY to view the details of API key, such as username and password. This is applicable only if the app authentication method is API Key.

  • MAMANGE KEYS: Click MANAGE to oversee the keys created.

  • INSTANCE STATUS: To disable the created instance, toggle the Disabled option.

  • DELETE: To delete the instance, click the overflow menu and select the DELETE option. Note that deleting an instance will result in the removal of the app, group, and all security objects associated with the instance, rendering all key material inaccessible.

Figure 4: Detailed instance

6.0 Using On-Premises Deployment

6.1 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

    Figure 5: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

6.2 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

    Figure 6: Add application

  2. On the Adding new app page, do the following:

    1. App name: Enter the name for your application.

    2. ADD DESCRIPTION (optional): Enter a short description of the application.

    3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    4. Assigning the new app to groups: Select the group created in Section 6.1: Creating a Group from the list.

  3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

7.0 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 6.2: Creating an Application to go to the detailed view of the app.

  2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 8.0: Generating the Certificate as the value of Common Name (CN) to generate a self-signed certificate or private key.

8.0 Generating the Certificate

Perform the following steps to generate a self-signed certificate or CA certificate such that the CN contains the app UUID:

  1. Run the following command to generate a client certificate and create a new key+cert with CN=FORTANIX_APP_UUID:

    openssl req -newkey rsa:2048 -nodes -keyout sdkms.key -x509 -days 365 -out sdkms.crt

    Ensure to update certificate parameters such as country, state, organization, so on, and ensure that the common name (CN) is set to the Fortanix app UUID.

    Figure 7: Generate client certificate

9.0 Updating the Authentication Method

Perform the following steps to change the authentication method:

  1. Go to the detailed view of the app created in Section 6.2: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.

  2. Click SAVE.

  3. In the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file or paste the content of the certificate generated in Section 8.0: Generating the Certificate.

  4. Select both check boxes to confirm your understanding of the action.

  5. Click UPDATE to save the changes.

10.0 Configuring KMS in vCenter Using Certificate

10.1 Configure Fortanix DSM in vCenter

You can configure Fortanix DSM as an external KMS in vCenter using the vSphere Client UI.

  1. Log in to vCenter using vSphere Client UI.

  2. Navigate to the required project → Configure tab → Key Providers option.

    ClientUI.png

    Figure 8: Key providers tab

  3. In the Key Management ADD STANDARD KEY PROVIDER form, enter the following details:

    • Name: Name of KMS - DSM

    • Address: Either the IP address or URL of the Fortanix DSM cluster you are using, for example: SaaS customers can use the following URLs based on the region.

    • Port: 5696

    • Username: to be left blank

    • Password: to be left blank

      Region.png

      Figure 9: Add standard key provider dialog box

  4. Click Add Key Provider.

  5. Click the Establish TrustMake vCenter Trust KMS to establish trust between Fortanix DSM and vCenter. Click TRUST.

    TrustKMS.png

    Figure 10: Establish trust

10.2 Uploading the Client Certificate

Perform the following steps to upload the client certificate:

  1. Copy or upload the vCenter Certificate in the Upload certificate text box for the Fortanix DSM app and save the details, generated in Section 8.0: Generating the Certificate.

  2. Log in to the vSphere Client and navigate to Configure tab.

  3. Create a new Key Management Service:

    • make it DEFAULT

    • ensure the fields User name and Password are empty.

      Vmware-KMS-4.png

      Figure 11: Create key management service

10.3 Establishing Trust with Fortanix DSM

Perform the following steps to import the key+cert to vSphere.

  1. Navigate to the ESTABLISH TRUST tab, select the Make KMS trust vCenter option.

  2. In the Choose a method section, select the method as KMS Certificate and Private Key and click NEXT.

    Vmware-KMS5.png

    Figure 12: Initiate importing certificate and private key

  3. In the Establish Trust section, click UPLOAD A FILE to import the certificate and private key. Click the ESTABLISH TRUST option.

    Vmware-KMS6.png

    Figure 13: Importing certificate and private key

11.0 Set Up Encrypted VM

Perform the following steps to configure the encrypted VM:

  1. Create a VM and select the default VM Encryption Policy.

    Vmware-KMS7.png

    Figure 14: Create a VM

  2. Click FINISH to finalize the VM creation process.

    Vmware-KMS8.png

    Figure 15: VM created

  3. Log in to Fortanix DSM to review the logs to monitor the connection, capturing all cryptographic operations performed by the application and any associated key creations.

    Figure 16: Audit logs showing crypto operations

    Figure 17: Security object created

11.1 Rotate or Re-encrypt the Keys

In the ever-changing landscape of cybersecurity, the regular rotation and re-encryption of keys are essential to upholding the integrity and security of sensitive data within VMware vSphere 7.0.

Rotating keys involves periodic updates to the cryptographic keys used for encryption, authentication, and other security processes. This proactive approach mitigates the risk of prolonged exposure to potential vulnerabilities. In VMware vSphere 7.0, the seamless rotation of keys ensures that cryptographic materials remain resilient against emerging threats.

Re-encrypting keys is a complementary process that enhances the overall security posture. By periodically updating encryption algorithms or re-encrypting data with stronger cryptographic standards, the defence against evolving cyber threats is fortified. This measure aligns with a commitment to staying ahead of the curve and maintaining the highest standards of data protection.

Implementing a robust key management strategy within VMware vSphere 7.0 demonstrates dedication to cybersecurity best practices. This approach not only safeguards digital assets but also instills confidence in stakeholders, assuring them that top-notch security protocols are adhered to in today's interconnected and dynamic business environment.

Perform the following steps to rotate or re-encrypt the keys in vSphere Client:

  1. Select the target VM for the key rotation procedure.

    14.png

    Figure 18: Select re-encrypt

  2. Click the Re-Encrypt option to generate a new key within the Fortanix KMS. The virtual machine then re-encrypts using a new key obtained from the current cluster's default key provider.

  3. After the re-encryption process is completed, a newly generated key is added to the KMS interface.

    Figure 19: Key created

12.0 Renew the VM Trust Certificates

If your KMS certificate is expired, the connection status might change, and VMware shows an error as Not Connected.

error screen.png

Figure 20: Error screen

Perform the following steps to renew the VM trust certificates:

  1. Log in to the vSphere Client and navigate to Configure tab.

  2. Locate and click the ESTABLISH TRUSTMake KMS trust vCenter option from the drop down menu.

  3. On the Make KMS Trust vCenter dialog box, perform the following:

    1. In the Choose a method tab, select the KMS certificate and private key radio button.

    2. Click NEXT.

    3. In the Upload KMS Credentials tab, upload the KMS certificate and KMS Private Key in the respective fields.

    4. Click ESTABLISH TRUST.

  4. Locate and click the ESTABLISH TRUSTMake vCenter Trust KMS option from the drop down menu.

  5. On the Make vCenter Trust KMS dialog box, verify the details and click TRUST to initiate the renewal of the KMS certificate.

    renew KMS certificate.png

    Figure 21: Renew KMS certificate

  6. After the KMS certificate is updated, click Trust to confirm the updated KMS certificates in the prompted dialog box.

    trust button.png

    Figure 22: Trust Button

    image (3).png

    Figure 23: Connection status

  7. If the KMS application certificate has expired, run the following OpenSSL command to generate the new certificate and private key using the same UUID of the app created in Section 6.2: Create an Application:

    openssl req -newkey rsa:2048 -nodes -keyout renewsdkms.key -x509 -days 365 -out renewsdkms.crt
  8. Update the renewsdkms.crt to the Fortanix DSM app associated with VMware.

  9. Update the same renewsdkms.crt and renewsdkms.key certificates in VMware.

    image (2).png

    Figure 24: Upload the certificates

  10. Click ESTABLISH TRUST.
    After the trust is established, the connection is updated as shown in the following figure:

    image.png

    Figure 25: Updated connection status

    For detailed information, refer to the Fortanix DSM VSAN KMIP demo.

12.1 Remove the Fortanix KMS

Perform the following steps to delete the Fortanix KMS from VMware:

  1. Select the VM machine from where the encryption needs to be removed.

  2. Navigate to the Summary tab, select the VM policiesEdit Storage Policies option from the nested menu.

    22.png

    Figure 26: VM policies

  3. On the Edit VM Storage Policies page, select the Datastore Default from the drop down menu.

    23.png

    Figure 27: Datastore default

  4. Click OK to confirm the action.

The datastore is reconfigured and the VM is un-encrypted.

24.png

Figure 28: Select encryption

12.2 Migrate the Virtual Machine Disk File

This section illustrates the following steps to effectively migrate a Virtual Machine Disk (VMDK) file from one vCenter to another, ensuring consistency in KMS settings and seamless restoration with key retrieval from the Fortanix KMS.

Perform the following steps:

  1. Locate and copy the VMDK file from the datastore or storage associated with vCenter 1.

  2. Reconfigure the vCenter 2 with the same KMS Name, Endpoint and Certificate at vCenter 2.

    25.png

    Figure 29: Reconfigure the vCenter

  3. Paste the copied VMDK file into the datastore or storage of vCenter 2.

    26.png

    Figure 30: Edit key provider

  4. After restoring the VMDK file in vCenter 2, the key will be automatically fetched from the Fortanix KMS.

12.3 Virtual Trusted Platform Module with Fortanix DSM

A Virtual Trusted Platform Module (vTPM) is a software version of a hardware TPM, a chip designed to enhance hardware security using integrated cryptographic keys. In VMware environments, vTPM offers the same security features for virtual machines (VMs) that physical TPMs provide for physical machines, enhancing VM security with encryption, secure boot, and other advanced security capabilities.

12.3.1 Key Benefits

  • Enhanced Security: vTPM boosts VM security with features like measured boot, ensuring the VM starts in a trusted state.

  • Compliance: vTPM aids in meeting security compliance requirements that mandate TPM use.

  • Encryption Support: vTPM supports full-disk encryption and other cryptographic operations.

  • Platform Integrity: vTPM maintains the integrity of the virtual platform by validating the boot process and safeguarding sensitive data.

12.3.2 Setting Up vTPM in VMware

  1. VMware vSphere Prerequisites:

    • vSphere Version: vSphere 6.7 or later must be installed.

    • ESXi Host: Virtual hardware version 14 or later must be supported.

  2. Prerequisites for configuring vTPM:

    • Firmware: Set the VM's firmware to UEFI.

    • Key Management: Optionally, configure key management services (KMS) for key handling and encryption operations.

  3. Enabling vTPM:

    1. Create a new VM or power off an existing VM.

    2. In the vSphere Client window, right-click the VM and select the Edit Settings option.

    3. Navigate to the Virtual Hardware tab, click the ADD NEW DEVICE option, and select the Trusted Platform Module option from the drop down menu.

      Figure 31: Trusted platform module option

    4. Click OK to save the settings and turn on the VM.

    5. After adding vTPM and powering on the VM, review the key in Fortanix Key Management. To view the details about the key, log into the Fortanix DSM UI and navigate to Security Objects menu item → select the required key → ATTRIBUTES/TAGS tab.

      Figure 32: New KMIP key is created

      Figure 33: Attributes or tags of the security object

13.0 Troubleshooting and Support

PROBLEM

RESOLUTION

Error “Cannot find Key” or “Unable to start or re-encrypt" after successful certificate renewal and establishing Trust with Fortanix DSM.

Check the newly generated certificate (DSM UI Apps → View Certificate) and

if the CN name entered does not look like the figure below (value of CN should be the UUID, not “CN=xxx”),

Correct the CN name as created in Section 8.0: Generating the Certificate.