Overview

Entrust Cryptographic Security Platform Vault supports a fully functional KMIP (Key Management Interoperability Protocol) server that can serve as a vSphere KMS (Key Management Server).

Once a trusted connection between Cryptographic Security Platform Vault and vSphere has been established, Cryptographic Security Platform Vault can manage the encryption keys for virtual machines in the cluster that have been encrypted with vCenter Server for vSphere Virtual Machine Encryption or VMware VSAN Encryption. The procedure is identical no matter which VMware encryption method you use.

Note: If you are using KMIP with Key Encryption Key (KEK) enabled, please ensure that the KEK cache timeout is enabled. Set the value to anything other than 0. See KEK with KMIP in the Cryptographic Security Platform Vault Administration Guide .

To set up Cryptographic Security Platform Vault as a KMS for vSphere:

Step	Task	Notes
1	If you currently have a different KMS configured in vCenter that you want to replace with Cryptographic Security Platform Vault, make sure you decrypt all workloads associated with that KMS and that you remove the KMS from vCenter. You can then set up Cryptographic Security Platform Vault as your KMS.	For details on decrypting workloads or removing a KMS from vCenter, see your vCenter documentation.
2	Have access to a Cryptographic Security Platform Vault cluster that has been properly configured and is operational. Important: Make sure that all Cryptographic Security Platform Vault nodes reside on devices that are not encrypted. Cryptographic Security Platform Vault has its own internal encryption, and it must be available to provide the keys for the encrypted devices before the encrypted devices can be accessed.	For details, see Installation Overview.
3	Configure a KMIP server in the Cryptographic Security Platform Vault cluster.	See Configuring a KMIP Server.
4	Add a KMS Cluster in vSphere using the VMware vCenter Web Client. Important: Do not enter a user name or password for the KMS cluster.	See Adding a KMS Cluster in vSphere.
5	Establish a trusted connection to the Cryptographic Security Platform Vault KMIP server by creating a client certificate bundle on the KMIP server and uploading it to vSphere. You can create the KMIP client certificate bundle using a Certificate Signing Request (CSR) generated by vSphere or generated by Cryptographic Security Platform Vault. Important: Do not enter a password for the certificates. Due to a vSphere limitation, you cannot upload encrypted certificates.	See Establishing a Trusted Connection with a Cryptographic Security Platform Vault-Generated CSR.