This article provides guidance on transitioning from a standard Key Management Server (KMS) to the VMware Native Key Provider (NKP).
It outlines how to safely migrate vTPM-enabled and encrypted virtual machines to the NKP, ensuring continuous operation and security compliance once the external KMS is decommissioned.

When replacing a standard KMS with the VMware Native Key Provider, administrators may encounter uncertainty regarding how existing vTPM-enabled or encrypted VMs will behave after the external KMS is retired.

In particular, concerns may include:

• Whether vTPM certificates need to be regenerated.

• If encrypted workloads will continue to operate normally after the KMS is removed.

• What steps are necessary to transition key management safely to the NKP without disruption.

This guidance applies when:

• The Native Key Provider is already deployed and set as the default Key Provider.

• The external KMS is being prepared for decommissioning.

• The environment includes encrypted VMs and vTPM-enabled workloads initially tied to the external KMS.

VMware vCenter Server 8.x

This situation arises when an environment transitions from a standard KMS to the Native Key Provider (NKP) as the new default key manager.
While the NKP is fully capable of managing existing encryption keys and vTPM components, a controlled rekey (re-encryption) process is required to ensure:

• All vTPM and encryption keys are re-associated with the NKP.

• Key management continuity is maintained without requiring certificate regeneration.

• Encrypted VMs remain accessible after the external KMS is retired.

To safely transition vTPM-enabled and encrypted virtual machines from the external KMS to the Native Key Provider, perform a rekey (recrypt) operation.
This process re-encrypts the virtual machine with a new Key Encryption Key (KEK) issued by the NKP.
Once the rekey is completed, the virtual machine’s cryptographic operations are managed exclusively by the NKP, and the external KMS can be safely removed.

Rekey Process Overview

You can use the vSphere Client to perform a shallow rekey (recrypt) or a deep rekey, depending on your operational requirements.

Required Privilege:
Cryptographic operations > Recrypt

Steps to Perform a Rekey (Recrypt) Using the vSphere Client

1. Log in to the vCenter Server using the vSphere Client.

2. In the inventory, select the encrypted virtual machine.

3. Right-click the VM and select:
   VM Policies > Re-encrypt

4. When prompted, click Yes to proceed.

5. The virtual machine will be rekeyed with the new KEK from the Native Key Provider.

If the rekey process fails, the following event is generated:

Note:

• The rekey process does not modify or regenerate the vTPM certificate.

• Once rekeyed, the VM is fully managed by the NKP, and the external KMS can be safely removed.

Verification

After completing the rekey process, confirm the following:

1. The VM’s encryption policy now references the Native Key Provider.

2. The VM remains powered on and accessible (for shallow rekey).

3. The vTPM and encrypted disks function as expected without key retrieval errors.

4. The external KMS no longer appears as the active provider for any VM encryption keys.