- New free VMware tool: Virtual Machine Desired State Configuration (VMDSC) - Fri, Oct 22 2021
- VMware vSAN Automatic Rebalance vs. Proactive Rebalance - Fri, Oct 15 2021
- VMware Tanzu Services overview - Fri, Oct 8 2021
Traditional KMS servers provide other features that NKP does not. For example, they may offer a hardware word of trust in a hardware security module; they also provide certifications and compliance guarantees.
So, if you only want to protect your vSphere environment, you no longer need to pay for this software via external channels, as was the case with vSphere 6.7 or vSphere 6.5. But most likely you won't get all the functions that traditional KMS solutions provide. There is a reason why paid KMS solutions exist.
You can use the NKP feature for vSAN encryption, which offers data-at-rest or data-in-transit encryptions, as well as vSphere VM encryption, to protect your data. You can also set up a secure boot of ESXi servers and protect the boot environment.
vSphere 7 Update 2 offers TPM v2.0, which is able to seal sensitive information by using a TPM policy based on PCR values for UEFI Secure Boot.
VMware KMS is a necessary part of the configuration when you want to use vSphere Virtual Machine (VM) encryption to perform encryption operations. What you have to do is connect your vCenter Server to a KMS/Key Provider.
Note: This does not mean that you can't continue to use your KMS if you have previously purchased that software from your vendor.
You should also get the TPM 2.0 hardware for your servers. This is a hardware component designed to securely store information, such as credentials or measurements. It costs about $40.
Setup of Native Key Provider (NKP ^
First, create the key provider. You'll need to log in to the vCenter Server with the vSphere Web Client and select the vCenter Server in the inventory list.
Click Configure > Key Management Servers or Key Providers.
Click Add Native Key Provider, complete the required information, and click Add Key Provider.
After it is clicked, a pop-up window asks you for a name. Enter a meaningful name.
Once done, you can select the key provider from the list (in our case, we have only one); you'll see that the status says "not backed up" and that there is a button enabling you to perform a backup. You must back up the vSphere NKP before you can use it.
Click the button, and you'll see another pop-up window. You can see that the "Protect Native Key Provider data with password" option is unchecked.
Check the box and click the Backup Key Provider button to proceed with password creation.
The result is a p12 file, which is automatically saved in your default browser location. In my lab example, it is in the usual Windows Downloads directory. You can then place it on a USB stick or upload it to a secure cloud location.
In the notification area, click Constraints. A message is displayed indicating that this KMS is "Available only on TPM protected ESXi hosts". If you remember, at the beginning of our tutorial, we checked the box saying that our hosts have the TPM hardware installed.
The TPM hardware should be configured in each ESXi host's BIOS to use the SHA-256 hashing algorithm and the TIS/FIFO (first-in, first-out) interface, not the command response buffer (CRB).
Note: vSphere NKP is backed up as part of the vCenter Server file-based backup (if you set it up). However, you must back up the vSphere NKP at least once before you can use it.
vCenter Server creates an alarm if the NKP has not been backed up. If this happens, it will send you a notification every 24 hours. I think it's good to know when planning your infrastructure deployments or upgrades.
Another very important tip. When creating the backup of the NKP, you should be logged in to the vCenter Server via fully qualified domain name (FQDN) and not via IP address. If not, the backup will not finish.
If you're using Enhanced Link Mode configuration with several vCenter Servers linked together, you must do this backup on the vCenter Server to which the key provider belongs.
The backup process might take some time as the vCenter Server needs to push the information to all ESXi hosts in the data center. The status changes from Not Backed to Warning to Active. Once done, you're good to go and continue with other tasks before using encryption in your vSphere environment.
Some tips for using TPM ^
If you want to protect your data against theft, you should buy TPMs for your servers and store the keys in the TPM instead of on the boot devices. If someone steals a few hard drives from a host, most likely he will not be able to walk away with the heavy server itself.
Make a backup of your keys and set a password; then, be sure to put it in a safe location. You can use a USB key or online storage in a cloud location, but be sure that you and a member of your security team are the only ones that have access.
Be sure you protect your file-level backup of your vCenter Server Appliance (VCSA), as those keys are backed up via this mechanism. If anyone gets their hands on those backups, they pretty much have access to your encrypted environment, as they can recover the keys from those backups.
Final words ^
As you can see, the setting of the NKP is pretty seamless. I hope that you'll find this article and the tips useful when planning to use encryption features within the vSphere environment.