Workload: How To Encrypt the Appliance VM

search cancel

book

calendar_today

Carbon Black Cloud Workload

To encrypt the VMware Carbon Black Workload Appliance VM

Ensure prerequisites are met:
- At least one vCenter Server
- At least one ESX Server with enough storage
- At least one KMPI 1.1 Compliant KMS Server
- https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-17568345-E59E-43A8-A811-92F8BE9C7719.html
Add KMS to vCenter Server:
1. Navigate to Configure > Security > Key Providers
2. Click "Add Standard Key Provider" add add the server address/port number
3. Enable trust between KMS and vCenter:
Confirm ESX host has encryption mode enabled under Configure > System > Security Profile
Power the Carbon Black Workload Appliance off
Encrypt the VM by navigating to Configure > Policies > select "VM Encryption Policy"
On the Appliance VM "Summary" tab, there should now be a lock logo next to the Linux logo
Power the Appliance back on

After encrypting the appliance VM, any attempts to migrate VM to another VC (Which does not have KMS cluster Authentication) will error. Only migrations of this VM to another ESX under same VC (or VC with same kms authentication) it will migrate.
To encrypt any new appliances, select "Encrypt this Virtual Machine" while deploying the OVF Template. This option will be on the "Select Storage" section.
If error "Storage profile is only supported when the target resource pool is backed by a cluster." is presented while creating newly encrypted appliance VM, move the ESXI host under existing cluster, or create a new cluster in VC.
If error "The VMware vSphere with Operation Management 6 Enterprise license for Host “1.2.3.4” does not include “Vsphere VM Encryption”. Upgrade the license." is presented, you will need to upgrade your license to resolve this.
For further assistance please contact VMware Support

thumb_up Yes

thumb_down No