Combining VMware vSphere VDI with DataControl

You can use VMware vSphere and HyTrust DataControl in combination to create an encrypted virtual desktop infrastructure (VDI) that you can then clone as many times as needed. The clones can be managed individually through KeyControl, and each clone can have its own set of encryption keys.

Before You Begin

Make sure you know the IP addresses or MAC addresses that you want to use for the clones. You need to register the addresses with KeyControl before you create a clone from the master VM.

Every clone must have a unique IP or MAC address registered with KeyControl. Therefore, if you want to deploy 10 clones, you would need to register 10 unique IP addresses or MAC addresses with KeyControl before you deployed the 10 clones.

Procedure

Create the master VM that you want to use to create the clones. If you already have a VM that is fully set up and encrypted by HyTrust DataControl, proceed to the next step.
1. Set up a VM with all the required software and configuration settings according to your company's VDI requirements. Once the VM is fully set up it becomes the "Master VM".
2. Install the latest HyTrust DataControl Policy Agent on the Master VM and register it with KeyControl as described in Linux Policy Agent Installation.
3. Encrypt the required data disks as described in Encrypting a Windows Disk Using the HyTrust Policy Agent GUI or Encrypting a Disk Using the CLI.
4. If required, encrypt the root or system drives as described in Linux Root, Swap, and System Device Encryption or Windows Boot Drive Encryption.
As a precaution, take a snapshot of the Master VM at this point.
Register the IP addresses or MAC addresses you want to use for the clones by running the hcl template command on the Master VM once for each clone you want to register. To do so:
1. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.
2. Enter the command hcl template <-i ipaddr | -m macaddr> [-u username [-p password]] days_to_expire, where:
  - <-i ipaddr | -m macaddr> is either -i and an IP address or -m and a MAC address.
  - -u is a KeyControl user account with Cloud Admin privileges. If you do not specify the account name, hcl prompts you for the information.
  - -p is the password for the KeyControl account. If you do not specify this password you will be prompted for the information.
  - days_to_expire is the number of days for which the access will remain valid for the clone. After access expires the clone will not be able to register itself with KeyControl and access to the clone will be denied. If you do not want the access to ever expire, specify 0 (zero) for this option.
  For example, if you want to register a template with the MAC address 00-80-c0-8f-45-c8 that is valid for 30 days, you would enter:
  
  # hcl template -m 0080c08f45c8 -u CloudAdmin -p Hytrust123! 30
  
  If you want to register a template with the IP address 192.168.140.150 that never expires, you would enter:
  
  # hcl template -i 192.168.140.150 -u CloudAdmin -p Hytrust123! 0
  
  If you want to prepare a group of clones with consecutive IP addresses, you can create a script that calls the hcl template command once for each clone. For example, if you want to prepare 30 clones that will be available for 365 days starting with the IP address 192.168.140.150 and ending with the IP address 192.168.140.180, you could include the following in your script:
```
i=150
while [[ $i -lt 181 ]]; do
   hcl template -i 192.168.140.$i -u CloudAdmin -p Hytrust123! 365
   i=’expr+1’
done
```
3. For each clone you want register for this VM, repeat the hcl template command specifying a unique IP or MAC address each time.
4. To view a list of reserved IP and MAC addresses in the system, enter the command hcl template list.
5. If you want to unregister a clone IP or MAC address, enter the command hcl template remove <-i ipaddr | -m macaddr> [-u username [-p password]].
When you are done registering the IP or MAC addresses you want to use, you can either create a vSphere Template from the Master VM, or you can simply clone the existing Master VM without making it a Template. Both methods work equally well with KeyControl. For more information about vSphere Templates, see your vSphere documentation.

Create the clones you want to use by selecting either Clone > Clone to Virtual Machine or New VM from This Template, depending on whether you set the master VM up as a vSphere Template in the proceeding step.

Important:

Do NOT power on the clones at this point.

After the clones have been deployed, manually set the IP or MAC addresses to match the ones you already registered with KeyControl. How you do this depends on what version of the vSphere Web Client that you are using.
After you have verified that the IP or MAC for the clones match the addresses that were registered with KeyControl, you can power on the clones.

If the root drive of the master VM was encrypted, when each clone VM boots, it contacts KeyControl during boot. KeyControl provides the keys for root drive and lets the clone VM boot. If the root drive was not encrypted, the clone VM will simply boot normally.

If you log into the KeyControl webGUI, the clone VM appears on the Cloud > VMs tab with the following name:

<original hostname>-<mac address of clone>

For example, you could see the following VM names in the webGUI:
```
win2016master
win2016master-0080c01f45c5
win2016master-0080c02f46c6
win2016master-0080c03f47c7
```
Once a clone has successfully powered on and contacted KeyControl, you can then manage it like any other VM that is registered with KeyControl. By default, KeyControl uses the same encryption key for the Master VM and all of the clone VMs. If you want each clone to have its own encryption key, you can rekey each clone VM as described in Rekeying a Disk Using the webGUI or Rekeying a Disk using the CLI.