VMware vSphere 7 Update 2 finally offers a long-awaited Native Key Provider (NKP), which is built in in vSphere. It's not a "full blown" KMS server, as the NKP can only talk to vSphere and you can't point other things at it. It is a vSphere-only feature.

Traditional KMS servers provide other features that NKP does not. For example, they may offer a hardware word of trust in a hardware security module; they also provide certifications and compliance guarantees.

So, if you only want to protect your vSphere environment, you no longer need to pay for this software via external channels, as was the case with vSphere 6.7 or vSphere 6.5. But most likely you won't get all the functions that traditional KMS solutions provide. There is a reason why paid KMS solutions exist.

You can use the NKP feature for vSAN encryption, which offers data-at-rest or data-in-transit encryptions, as well as vSphere VM encryption, to protect your data. You can also set up a secure boot of ESXi servers and protect the boot environment.

vSphere 7 Update 2 offers TPM v2.0, which is able to seal sensitive information by using a TPM policy based on PCR values for UEFI Secure Boot.

VMware KMS is a necessary part of the configuration when you want to use vSphere Virtual Machine (VM) encryption to perform encryption operations. What you have to do is connect your vCenter Server to a KMS/Key Provider.

Note: This does not mean that you can't continue to use your KMS if you have previously purchased that software from your vendor.

You should also get the TPM 2.0 hardware for your servers. This is a hardware component designed to securely store information, such as credentials or measurements. It costs about $40.

TPM hardware module from Dell

TPM hardware module from Dell

Setup of Native Key Provider (NKP

First, create the key provider. You'll need to log in to the vCenter Server with the vSphere Web Client and select the vCenter Server in the inventory list.

Click Configure > Key Management Servers or Key Providers.

Click Add Native Key Provider, complete the required information, and click Add Key Provider.

Add Native Key Provider

Add Native Key Provider

After it is clicked, a pop-up window asks you for a name. Enter a meaningful name.

Add Native Key Provider pop up window

Add Native Key Provider pop up window

Once done, you can select the key provider from the list (in our case, we have only one); you'll see that the status says "not backed up" and that there is a button enabling you to perform a backup. You must back up the vSphere NKP before you can use it.

Backup of your key provider

Backup of your key provider

Click the button, and you'll see another pop-up window. You can see that the "Protect Native Key Provider data with password" option is unchecked.

You should protect the key data with a password

You should protect the key data with a password

Check the box and click the Backup Key Provider button to proceed with password creation.

Back up Native Key Provider

Back up Native Key Provider

The result is a p12 file, which is automatically saved in your default browser location. In my lab example, it is in the usual Windows Downloads directory. You can then place it on a USB stick or upload it to a secure cloud location.

Backup NKP p12 file

Backup NKP p12 file

In the notification area, click Constraints. A message is displayed indicating that this KMS is "Available only on TPM protected ESXi hosts". If you remember, at the beginning of our tutorial, we checked the box saying that our hosts have the TPM hardware installed.

The TPM hardware should be configured in each ESXi host's BIOS to use the SHA-256 hashing algorithm and the TIS/FIFO (first-in, first-out) interface, not the command response buffer (CRB).

Available only on TPM protected ESXi hosts

Available only on TPM protected ESXi hosts

Note: vSphere NKP is backed up as part of the vCenter Server file-based backup (if you set it up). However, you must back up the vSphere NKP at least once before you can use it.

vCenter Server creates an alarm if the NKP has not been backed up. If this happens, it will send you a notification every 24 hours. I think it's good to know when planning your infrastructure deployments or upgrades.

Another very important tip. When creating the backup of the NKP, you should be logged in to the vCenter Server via fully qualified domain name (FQDN) and not via IP address. If not, the backup will not finish.

If you're using Enhanced Link Mode configuration with several vCenter Servers linked together, you must do this backup on the vCenter Server to which the key provider belongs.

The backup process might take some time as the vCenter Server needs to push the information to all ESXi hosts in the data center. The status changes from Not Backed to Warning to Active. Once done, you're good to go and continue with other tasks before using encryption in your vSphere environment.

Some tips for using TPM

If you want to protect your data against theft, you should buy TPMs for your servers and store the keys in the TPM instead of on the boot devices. If someone steals a few hard drives from a host, most likely he will not be able to walk away with the heavy server itself.

Make a backup of your keys and set a password; then, be sure to put it in a safe location. You can use a USB key or online storage in a cloud location, but be sure that you and a member of your security team are the only ones that have access.

Be sure you protect your file-level backup of your vCenter Server Appliance (VCSA), as those keys are backed up via this mechanism. If anyone gets their hands on those backups, they pretty much have access to your encrypted environment, as they can recover the keys from those backups.

Final words

As you can see, the setting of the NKP is pretty seamless. I hope that you'll find this article and the tips useful when planning to use encryption features within the vSphere environment.

  1. Rajeev 2 years ago

    Thanks for KB, can you please let me know how to apply it on existing VSAN cluster where I have number of vms 




  2. ced 2 years ago

    Thanks for this useful post but I get a big problem. The backup feature does not work at all when I push both backup key buttons. Please can you help ?

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account