Configure vSphere Native Key Provider
search cancel

Configure vSphere Native Key Provider

book

Article ID: 396471

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

> Before you can start with encryption tasks, you must configure a vSphere Native Key Provider on vCenter Server.
 
> Required privilege: Cryptographic operations > Manage key servers

> vSphere 7.0 Update 2 and later includes a key provider called vSphere Native Key Provider. vSphere Native Key Provider enables encryption-related functionality without requiring an external key server (KMS).

> Initially, vCenter Server is not configured with a vSphere Native Key Provider. You must manually configure a vSphere Native Key Provider.

> This article outlines the steps to configure a vSphere Native Key Provider in vSphere.

Environment

vSphere 7.0 Update 2 and later

Resolution

Add vSphere Native Key Provider

  1. Log in to the vCenter Server system with the vSphere Client.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure, and under Security click Key Providers.
  4. Click Add then click Add Native Key Provider.
  5. Enter a name for the vSphere Native Key Provider.
    Note : Each logical key provider, regardless of its type (Standard, Trusted, and Native Key Provider), must have a unique name across all vCenter Server systems.
    For more information, see Key Provider Naming.
  6. If you want this vSphere Native Key Provider to be used only by hosts with a TPM 2.0, select the Use key provider only with TPM protected ESXi hosts check box.
    If enabled, the vSphere Native Key Provider is available only on hosts with a TPM 2.0.
  7. Click Add Key Provider.
    Note : It takes about five minutes for all the clustered ESXi hosts in a data center to get the key provider, and for the vCenter Server to update its cache. Because of the way the information is propagated, you might have to wait for a few minutes to use the key provider for key operations on some of the hosts.
  8. The vSphere Native Key Provider is added and appears in the Key Provider pane.
  9. At this point, the vSphere Native Key Provider is not backed up. You must back up the vSphere Native Key Provider before you can use it.

Backup vSphere Native Key Provider 

  1. Select the vSphere Native Key Provider you want to back up.
    A status of "Not backed up" appears for key providers that you have not backed up.
  2. Click Back Up.
  3. To password-protect the backup, check the Protect Native Key Provider data with password box.
    a. Enter a password and save it in a secure location.
    b. Check the I have saved the password in a secure place box, indicating that you have saved the password to a secure place.
  4. Click Back Up Key Provider.
    The backup file is in PKCS#12 format.
  5. Save the backup file in a secure location.

NOTE : When you configure vSphere Native Key Provider, the key providers are available on all clusters for the vCenter Server on which you configure them. As a result, all hosts attached to the vCenter Server have access to all the vSphere Native Key Providers that you configure.

Additional Information

Next Steps
> To add vTPMs to your virtual machines, see Securing Virtual Machines with Virtual Trusted Platform Module.
> To encrypt virtual machines, see Use Encryption in Your vSphere Environment.
Powered by Wolken Software