Overview
Entrust KeyControl supports a fully functional KMIP (Key Management Interoperability Protocol) server that can serve as a vSphere KMS (Key Management Server).
Once a trusted connection between KeyControl and vSphere has been established, KeyControl can manage the encryption keys for virtual machines in the cluster that have been encrypted with vCenter Server for vSphere Virtual Machine Encryption or VMware VSAN Encryption. The procedure is identical no matter which VMware encryption method you use.
Note: If you are using KMIP with Key Encryption Key (KEK) enabled, please ensure that the KEK cache timeout is enabled. Set the value to anything other than 0. See KEK with KMIP in the KeyControl Administration Guide .
To set up KeyControl as a KMS for vSphere:
| Step | Task | Notes |
|---|---|---|
|
1 |
If you currently have a different KMS configured in vCenter that you want to replace with KeyControl, make sure you decrypt all workloads associated with that KMS and that you remove the KMS from vCenter. You can then set up KeyControl as your KMS. | For details on decrypting workloads or removing a KMS from vCenter, see your vCenter documentation. |
|
2 |
Have access to a KeyControl cluster that has been properly configured and is operational. Important: Make sure that all KeyControl nodes reside on devices that are not encrypted. KeyControl has its own internal encryption, and it must be available to provide the keys for the encrypted devices before the encrypted devices can be accessed. |
For details, see Installation Overview. |
|
3 |
Up to and including KeyControl v5.5: Configure a KMIP server in the KeyControl cluster.
KeyControl v5.5 and later: Configure a multi-tenant KMIP server and create a KMIP tenant. |
See Configuring a KMIP Server.
See Configuring a Multi-Tenant KMIP Server and Creating a KMIP Tenant in the KeyControl Administration Guide . |
|
4 |
Add a KMS Cluster in vSphere using the VMware vCenter Web Client. Important: Do not enter a user name or password for the KMS cluster. |
|
|
5 |
Establish a trusted connection to the KeyControl KMIP server by creating a client certificate bundle on the KMIP server and uploading it to vSphere. You can create the KMIP client certificate bundle using a Certificate Signing Request (CSR) generated by vSphere or generated by KeyControl. Important: Do not enter a password for the certificates. Due to a vSphere limitation, you cannot upload encrypted certificates. |
See Establishing a Trusted Connection with a KeyControl-Generated CSR. |
