KMIP for VMware implementation and management
Planning
You are not charged for the KMIP™ for VMware service. To review the Key Protect and Hyper Protect Crypto Services pricing plans, see the Key Protect and Hyper Protect Crypto Services catalog pages.
If you are using VMware vSAN™ encryption, plan to use one root key in Key Protect or Hyper Protect Crypto Services, and two standard keys for each vSAN cluster that you encrypt.
If you are using VMware vSphere® encryption, plan to use one root key, one standard key per vSphere cluster, and one standard key per encrypted virtual machine (VM).
Key Protect and Hyper Protect Crypto Services are available in multizone regions (MZRs) only. Hyper Protect Crypto Services (HPCS) is available in selected MZRs only. KMIP for VMware® is automatically deployed in the same region as your Key Protect or HPCS instance. VMware vCenter Server® can tolerate high latency to the KMIP service, so distance is usually not be a cause for concern.
Connecting the key management server
To enable vSphere encryption or vSAN encryption by using KMIP for VMware, you need to complete the following tasks:
- Enable service endpoints in your account.
- Create a key manager instance, by using either IBM Key Protect or IBM Cloud Hyper Protect Crypto Services. If you are using Hyper Protect Crypto Services (HPCS), be sure to initialize your crypto instance so that Hyper Protect Crypto Services can provide key-related functions.
- Create a customer root key (CRK) within your key manager instance.
- If you are using Key Protect, create an Identity and Access Management (IAM) API key for a service ID for use with KMIP for VMware. Grant this service ID both Platform Viewer access and Service Write access to your Key Protect instance.
- Create a KMIP for VMware instance from the IBM Cloud for VMware Solutions console.
- If you are using HPCS, create an IAM service authorization for your KMIP for VMware instance to your HPCS instance. Grant your KMIP for VMware instance both Platform Viewer access and Service VMware KMIP Manager access to your HPCS instance.
- Configure your KMIP for VMware instance to connect to your Key Protect or HPCS instance and select which CRK to use with KMIP.
- Within vCenter Server, create a key provider cluster.
- If you are using Key Protect, configure this cluster with two servers, one for each KMIP for VMware endpoint in your chosen region.
- If you are using HPCS, configure this cluster to connect to the hostname and port that is uniquely assigned to your KMIP for VMware instance.
- Select one of the VMware methods to generate or install a KMS client certificate in vCenter Server.
- Export the public version of the certificate and configure it as an allowed client certificate in your KMIP for VMware instance. The key manager instance has a maximum interval of 5 minutes to get the configured client certificates. Therefore, if you are unable to build KMS trust to vCenter Server, wait for 5 minutes and try again.
Enabling encryption
To use vSAN encryption, edit the vSAN general settings in your vCenter Server cluster and select the encryption checkbox.
The vSAN health check might send periodic warnings that it is unable to connect to the KMS cluster from one or more of your vSphere hosts. These warnings occur because the vSAN health check connection times out too quickly. You can ignore these warnings. For more information, see vSAN KMS health check intermittently fails with SSL handshake timeout error.
To use vSphere encryption, edit your VM storage policies to require disk encryption.
Important caveats
Some VMs require special planning for encryption, especially if they are involved in a possible circular dependency to obtain the key material to operate themselves. Consider the following information:
- vCenter Server is involved in retrieving encryption keys. This VM must not be encrypted by using vSphere encryption and must not be on an encrypted vSAN datastore.
- The Microsoft Windows® Active Directory controllers in your environment are used for hostname resolution to connect to key management. Do not encrypt them by using vSphere encryption or place them on an encrypted vSAN datastore unless you are prepared to provide an alternate hostname resolution if you need to restart your environment.
- VMware does not recommend encrypting VMware NSX® VMs by using vSphere encryption.
Key rotation
Rotate your Key Protect or Hyper Protect Crypto Services customer root key (CRK) by using the IBM Cloud console or API.
- For vSAN encryption, rotate your VMware key encryption keys and data encryption keys (optionally) from the vSAN general settings in your vCenter Server cluster.
- For vSphere encryption, rotate your VMware key encryption keys and data encryption keys (optionally) by using the Set-VMEncryptionKey PowerShell command.
Key revocation
You can revoke all keys in use by KMIP for VMware by deleting your chosen CRK from your key manager.
When keys are revoked, all data that is protected by these keys and by your KMIP for VMware instance is cryptographically shredded by this method. VMware preserves some keys while an ESXi host is powered on, so you need to restart your vSphere cluster to ensure that all encrypted data is no longer in use.
KMIP for VMware stores individual wrapped KEKs in your Key Protect or Hyper Protect Crypto Services instance by using names that are associated with the key IDs that are known to VMware. You can delete individual keys to revoke the encryption of individual disks or drives.
VMware does not delete keys from the KMS when a VM having encrypted disks is removed from inventory. This process is to allow recovery of that VM from backup or if it is restored to inventory. If you want to reclaim these keys and cryptographically invalidate all backups, you need to delete the keys from your key manager instance after you delete your VMs.