Using Fortanix Data Security Manager with VMware Cloud Director Encryption Management

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with the VMware Cloud Director Encryption Management Service solution to empower tenant administrators with the authority to manage encryption keys for virtual machines (VMs) within their respective virtual data centers (VDCs).

Traditionally, only provider administrators possessed the capability to configure key providers through VMware vSphere. However, the updated approach allows each tenant to configure their own individual Key Management Server (KMS). Tenant administrators now have the authority to authenticate with and allocate encryption keys from their KMS to their respective VDCs, significantly enhancing control and security within VMware Cloud Director environments.

2.0 Product Versions Tested

The following product versions were tested:

• Fortanix DSM version 4.27.

• VMware Cloud Director version 10.5.1.

• VMware Cloud Director Encryption Management version 1.1.

3.0 Prerequisites

Before proceeding, ensure the following:

• Fortanix DSM version 4.27 or later.

• The target environment is at the following software versions or higher:

  • VMware Cloud Director version 10.5.1.

  • VMware Cloud Director Encryption Management version 1.1.

  Refer to the VMware’s Before you begin section in Installing and Configuring VMware Cloud Director Encryption Management as a Cloud Provider.

4.0 Architecture Diagram

The architecture diagram illustrates the integration of Fortanix DSM with VMware Cloud Director for managing encryption keys across multiple VDC tenants. Fortanix DSM functions as the central key management solution, securely interfacing with vCenter to allow the management of keys across multiple customer tenants.

At the top level, customers configure their VDC tenants to use Fortanix DSM as a key provider, entering their credentials to allow secure communication. This integration allows the creation of keys within Fortanix DSM to encrypt the customer’s VMs.

Beneath Cloud Director, a shared vCenter orchestrates resources across different customer environments, labelled as Alpha and Bravo Customer VDC Tenants. Each tenant can have multiple VMs that are encrypted.

This setup ensures that a customer can encrypt their VMs and have full ownership and control of the keys, within their isolated Fortanix DSM accounts. The provider has no access to the customer’s keys.

5.0 Infrastructure Setup

This section describes the steps required to set up the foundational infrastructure components, including the creation of the Provider VDC, Organizations, Organization VDC, the Encryption Management Catalog, and the configuration of Solution Add-Ons.

5.1 Creating the Provider VDC

Perform the following steps to create a Provider Virtual Data Center:

1. Navigate to the Resources (top navigation) → Cloud Resources → Provider VDCs → New.

2. On the New provide VDC form, do the following:

   1. In the General page, provide a valid name and description. Enable the State option using the toggle button. Click NEXT.

      

   2. In the Provider page, select the required vCenter. Click NEXT.

      

   3. In the Resource Pool page, select the cluster for the resource pool. Select the Highest supported hardware version from the drop down menu. Click NEXT.

      

   4. In the Storage page, select all the listed storage policies. Click NEXT.

      

   5. In the Network Pool page, select the No network pool radio button. Click NEXT.

      

   6. In the Ready to Complete page, review all the parameters. Click FINISH.

      

      Wait until the status shows as Normal.

      

5.2 Creating the Organizations

Perform the following steps to create a new Organization:

If you already have an existing Organization and Organization VDC, you can skip to Section 7.0: Configure VMware Encryption Management.

1. Navigate to Resources (top navigation) → Cloud Resources → Organizations → New.

2. On the New Organization page, enter the name and full name of the organization. For example, AlphaCustomer.

   

3. Click CREATE.

4. Similarly, create another Organization. For example, Catalog.

   

5.3 Creating the Organization VDC

Perform the following steps to create an Organization VDC:

1. Navigate to Resources (top navigation) → Cloud Resources → Organization VDCs → New.

2. On the New Organization VDC dialog box, do the following:

   1. In the General page, provide a name and description. Select the Enable the Organization VDC check box. Click NEXT.

      

   2. In the Organization page, select the required organization. Click NEXT.

      

   3. In the Provider VDC page, select the required Provider VDC radio button. Click NEXT.

      

   4. In the Allocation Model page, select the Allocation pool option. Click NEXT.

      

   5. In the Allocation Pool page, set the resources values. For example, CPU allocation as 4, Memory allocation as 30, and so on. Click NEXT.

      

   6. In the Storage Policies page, select all the storage policies. Enable the toggle button for Thin provisioning option. Click NEXT.

      

   7. In the Network Pool page, the toggle button for Specify Network Pool can be disabled. Click NEXT.

      

   8. In the Ready to Complete page, review all the parameters. Click FINISH.

      

      Wait until the status shows as Normal.

      

3. Similarly, create another Organization VDC. For example, Catalog.

   

   Wait until the status shows as Normal.

   

5.4 Creating the Catalog for Encryption Management

Perform the following steps to create a catalog under the content hub of an Organization VDC:

1. Click the icon to open the new window for Tenant Portal.

   

2. Navigate to Content Hub → Catalogs → NEW.

3. On the Create Catalog dialog box, do the following:

   1. Enter a name of the catalog. For example, Encryption Management.

   2. Enable the toggle button for Pre-provision on specific storage policy.

   3. Set the Any option for both Org VDC and Storage Policy fields.

   4. Click OK.

      

      Wait until the status shows as Ready.

      

4. Navigate to Networking (top navigation) → New.

5. On the New Organization VDC Network dialog box, do the following:

   1. In the Scope page, select the Organization Virtual Data Center radio button and select the required VDC. For example, Catalog. Click NEXT.

      

   2. In the Network Type page, select the radio button for Direct option. Click NEXT.

      

   3. In the General page, enter a valid name. For example, VM Network. Keep the Shared toggle button disabled. Click NEXT.

      

   4. In the External Network Connection page, select the VM Network radio button. Click NEXT.

      

   5. In the Ready to Complete page, review all the parameters. Click FINISH.

      

5.5 Configuring the Solution Add-on Management

Perform the following steps to configure the Solution Add-On Management:

1. Return to the Provider portal and navigate to More (top navigation) → Solution Add-on Management → CONFIGURE.

   

2. Read the description of Solution Add-On Landing Zone and click NEXT.

   

3. On the General Settings page, do the following:

   1. Organization: Select the value from the drop down menu to store the Catalog.

   2. Catalog: Select the name of the catalog from the drop down menu. For example, Encryption Management.

   3. Organization VDCs: Select the required Organization VDC from the drop down menu.

   4. Click NEXT.

   

4. Click the Overflow iconin the first column and select the Configure option.

   

5. On the Configure Catalog dialog box, do the following:

   1. In the Network page, select the Add Network → VM Network options.

   2. In the Compute Policies page, select the Add Compute Policy → System Default options.

   3. In the Storage Policies page, select the Add Storage Policy → any (*) options.

   4. Click SAVE to keep the changes.

   5. Click NEXT to proceed further.

   6. In the Review and Create page, check the settings and then click FINISH.

      

   7. Download the VMware Encryption Management ISO file from here.

   8. Click UPLOAD.

      

   9. Click Browse Files and select the required file from your system. For example, VMware-Cloud-Director-Encryption-Management-110.iso.

   10. Select the Create add-on instance after upload is completed check box.

   11. Click UPLOAD.

       

   12. Review the summary and click FINISH.

       

   13. In the Accept Licenses page, select the I Agree to the license check box.

   14. On the Input Parameters page,

       1. Leave the Add-On Instance Name as the default.

       2. Select the Deployment Configuration from the drop down menu. For example, Medium (4 vCPU, 8GB Memory).

       3. Select the Global Role as Organization Administrator.

          

       4. Click NEXT and then click FINISH.

          

          

   NOTE

   Ensure that the Bring Your Own Encryption (BYOE) instance is in READY state before proceeding further.

6. Log in to the vSphere Web Client and observe the creation of several VMs under the resource pool for the target VDC.

   

6.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

6.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

6.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

6.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group. For example, AlphaCustomer.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

6.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 6.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

6.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in Section 6.4: Creating an Application to go to the detailed view of the app. 

2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 6.6: Generating the Certificate as the value of Common Name (CN) to generate a self-signed certificate and a private key.

6.6 Generating the Certificate

Run the following command to generate a certificate:

openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN={App UUID}"

6.7 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 6.4: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.

2. Click SAVE.

3. On the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file or paste the content of the cert.pem certificate generated in Section 6.6: Generating a Certificate.

4. Select both check boxes to confirm your understanding of the action.

5. Click UPDATE to save the changes.

NOTE

Within the same or different Fortanix DSM account, repeat all the steps mentioned in Section 6.2: Creating an Account through Section 6.7: Updating the Authentication Method to be used as the default Key Provider for vCenter.

7.0 Configure VMware Encryption Management

This section describes the steps required to provision VMware Encryption Management for a VMware Cloud Director (vCD) tenant using the Fortanix DSM.

7.1 Configuring vCenter Key Provider

Perform the following steps to configure the vCenter Key Provider:

1. Connect directly to the vCenter using the vSphere Web Client.

2. Configure a Standard Key Provider as per Using Fortanix Data Security Manager as a KMS to Secure VMware Virtual Environments using the cert.pem and key.pem obtained in Section 6.6: Generating a Certificate.

   

7.2 Configuring VMware Encryption Management in Provider Portal

Perform the following steps to configure the VMware Encryption Management within the Provider Portal:

1. Navigate to the More → Encryption Management → Get Started.

2. On the Onboard Key Provider dialog box, do the following:

   1. Name: Enter the name of the key provider to create. For example, AlphaCustomer.

   2. Description: Enter a description for the key provider.

   3. Icon: Browse any image that you to display as an icon.

   4. Address: Enter the valid Fortanix DSM endpoint. For example, eu.smartkey.io.

   5. Port: Enter the KMIP port as 5696.

   6. Click NEXT.

      

   7. In the vCenter Information page, select the target vCenter resource.

   8. Provide the vCenter Credentials and click Register.

   9. Review and Trust the KMS certificate when presented.

      

   10. Click Publish available adjacent to the name of the Key Provider.

   11. Select the target Tenant Organization and click PUBLISH.

       

7.3 Configuring Key Provider in Tenant Portal

Ensure that a new Fortanix DSM group and app is created using the certificate-based authentication for the specific Organization. For more information, refer to Section 6.0: Configure Fortanix DSM.

Perform the following steps to configure the Key Provider in the Tenant Portal:

1. Log in to the Cloud Director Tenant Portal for the specified Organization.

2. Navigate to More → Encryption Management. This screen displays the Key Providers published by the provider.

   

3. Click CONFIGURE.

4. On the next screen, select the Client certificate radio button to change the authentication method.

5. In the Certificate and Private Key boxes, paste the content of cert.pem and key.pem respectively.

6. Click REGISTER.

7. Click GENERATE KEY and select the Organization VDC from the available list. This key will be generated in the associated Fortanix DSM group.

   

8. Click SUBMIT.

   

7.4 Encrypting the VM

Perform the following steps to encrypt a VM:

1. Navigate to Applications (top navigation) → Virtual Machines.

2. Click NEW VM and provision a new VM for encryption.

3. Click the name of the VM created and EDIT.

4. On the Edit VM page, do the following:

   1. Select the Storage Policy.

   2. Select VM Encryption Policy from the drop down menu.

   3. Click Save.

5. Navigate to the General tab for the VM and click Edit.

6. Update the Storage Policy to VM Encryption Policy.

7. Click Save to keep the changes.

The VM KEK in DSM will be retrieved and used to encrypt the VM.

7.5 Verifying Encryption Status

Verify that the VM is encrypted using the tenant KMS.

• VMware Cloud Director Tenant Portal

  

• VMware vCenter vSphere Client

  

• Fortanix DSM Account

  

7.6 Auditing and Logging

Create another VM as per Section 7.4: Encrypting the VM and observe the Fortanix DSM Account audit log.