Using Fortanix Data Security Manager for VMware Cloud Director

1.0 Introduction

This article describes how to use Fortanix-Data-Security-Manager (DSM) for VM encryption through VMware Cloud Director. It also contains the information that a user requires for:

• Facilitating the communication and authentication between Fortanix DSM and vCenter using the KMIP interface

• Setting up Fortanix DSM.

• Exposing VM Encryption storage policy to tenants

• Enabling VM Encryption storage policy for VM encryption

2.0 KMIP and Certificate Requirements

The Key Management Interoperability Protocol (KMIP) is used to facilitate communication between the vCenter and Fortanix DSM. KMIP uses Transport Layer Security (TLS) to provide a secure connection and Fortanix DSM also uses this to Authentication a KMIP client to successfully create, retrieve and use the keys stored inside Fortanix DSM.

2.1 Prerequisites

• vCenter connected to Cloud Director 10.0 or later is installed and operational.

• Fortanix DSM version 3.20 or later.

• Fortanix DSM is installed and operational, and is accessible by the vCenter on port 5696 (for default) or custom KMIP port.

2.2 Considerations

The following are some key points to understanding the Fortanix DSM for VM encryption:

• The VMs needs to be power off to apply the VM encryption storage policy.

• vCenter supports only one (1) external KMS at a time, and the IP address of the KMS cannot be altered once configured.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Interface (optional): Select the KMIP option as interface type from the drop down menu.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation bar and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. Click the USERNAME/PASSOWORD tab.

4. From the Credentials Details dialog box, copy the Username (app UUID) and Password of the app to use it later Section 4.1: Configure Fortanix DSM in vCenter.

4.0 Configure vCenter Key Management Settings

You may configure Fortanix DSM as an external KMS in vCenter using the vSphere Client UI.

4.1 Configure Fortanix DSM in vCenter

1. Log in to vCenter using vSphere Client UI.

2. Navigate to Configure → Key Providers.

   

3. In the Key Management ADD STANDARD KEY PROVIDER form, enter the following details:

   • Name: Name of KMS - DSM

   • Address: Fortanix DSM IP address. In this case, app.<fortanix_dsm_url>.

   • Port: 5696

   • Username: Copy the value from Fortanix DSM app

   • Password: Copy the value from Fortanix DSM app

   

   

   

4. Click Add Key Provider.

5. Establish trust between Fortanix DSM and vCenter by clicking Establish Trust → Make vCenter Trust KMS. Click TRUST.

   

4.2 Expose VM Encryption Policy to Tenants

As a service provider, make sure you expose the VM encryption storage policy to the tenants.

1. Log in to the VMware Cloud Director provider portal.

2. Click Organization VDCs and enable VM encryption policy for the organization.

4.3 Tenants Apply VM Encryption Storage Policy to VM

The tenants can apply the VM encryption storage policy to the VM(s) they want to encrypt.

1. The Tenants can log in to the VMware Cloud Director tenant portal.

2. Click the VM that needs to be encrypted. Make sure that the VM is powered off.

   

3. Apply VM Encryption storage policy to the VM.

   

   

4.4 Verification of Fortanix DSM

Service providers can log in to Fortanix DSM to see the logs of the connection and the key created as well.