Encryption is a method where we  encrypt the VMDK files on the datastore. We need this encryption as there is no authentication at the datastore, and  to protect the VM  from  data tampering. 

Encryption on the cluster can be configured in two major ways: 

- Configure vCenter server as the KMS ( Native key Provider )

- Configure  External Key Management Server.

In this article, we will have detailed steps on how to configure an external KMS server. There are multiple open source KMS available, in this article we will learn how to install the hytrust and configure on the vCenter server.

vCenter server 7.x

vCenter server 8.x

Hytrust is configured as an appliance on the vCenter server, Where we l deploy the hytrust VM using an OVF file.

1. Once you deploy the OVF we launch the console and install the OS ,

Reference :

HyTrust KeyControl with VMware vSphere VM and VSAN Encryption 

2.  To access the application access it on browser using the FQDN.

https://<FQDN of the Hytrust>

3. For first login, We use the default username and password  i.e  secroot/secroot.

4. Go to KMIP tab and to configure KMS,  Make sure to configure the protocol to 1.1 as VMware supports only 1.1 KMIP.  

Reference: vSphere Security 

5. In order to configure the certificate go to Actions tab and select create certificate. 

6. While configuring the certificate, Do not configure password as VMware vCenter server do not  have the ability to decrypt the password.

7. Download the certificate.

8. Once the Hytrust is setup as the KMS server using the KMIP 1.1, We need to configure the vCenter server with  Standard key provider and establish the trust between the two. 

 - Go to the vCenter server ---------------> Configure ----------------> Key Provider -------------> Add standard key provider ---------> from drop down select Standard key provider.

-  Add the key provider hostname, IP address and port on which it communicates. 

-  Once Added, We need to establish the trust between the two.

- For vCenter server to trust the  KMS server, click on the  Establish trust icon and it will show up the details.

- For KMS to trust the vCenter server we again select the establish trust and then choose option 3.

-

- This will require you to upload the certificate you created on the vCenter server, upload the same certificate file.

-Save and this will establish the trust between KMS and the vCenter server.

* While installing and configuring the hytrust server it requires you to have a hostname.