Migrating from KMIP for VMware to IBM Cloud native KMIP providers

Key Management Interoperability Protocol (KMIP™) for VMware® support for Key Protect will end on 16 July 2026, after which interoperability with the Key Protect service will no longer work. Migrate to IBM® Key Protect for IBM Cloud®.

This announcement is applicable only to customers who are using the KMIP for VMware support for Key Protect. Customers who are using KMIP for VMware support for Hyper Protect Crypto Services (HPCS) remain unaffected by this announcement. The KMIP for VMware support for HPCS continues to function as usual without any impact.

Before you begin

Review the following information:

Migration options

IBM Cloud® key management offerings introduce native KMIP providers to replace the Key Management Interoperability Protocol (KMIP™) for VMware® service provider. These new native providers have the following advantages:

Improved performance because the calls from KMIP to key provider are closer in network distance and no longer cross the service-to-service authorization boundaries.
Improved visibility and management for the KMIP keys.

The native providers share common code and their behavior is similar. For more information, see Key Protect: Using the key management interoperability protocol (KMIP).

The support of native KMIP providers is not available for the Hyper Protect Crypto Services offering of IBM Cloud.

Migrating to the new KMIP provider

If you already use the KMIP for VMware provider, switch to the new key provider for improved performance:

Go to https://cloud.ibm.com/infrastructure/vmware-solutions/console/instances/kmip.
Select your existing KMIP for VMware instance and note the Key Manager instance name.
Go to https://cloud.ibm.com/resources, expand Security, and choose the Key Manager instance from step 2.

To implement this step, your account needs certain privileges. Complete the following steps to check your account privilege:
1. In the console, Manage > Access (IAM) > Users.
2. Under Access policies, select your user ID, and then select the Access tab.
3. Ensure that the service - Key Protect and Role - Administrator permissions are added.
Select KMIP adapters from the left navigation menu, and click Create KMIP adapter.
Optionally, type a name, and then select a root key.

Adding certificate details here is optional as vCenter Server generates a new certificate for each key provider that you configure. The certificate is generated in step 11.
Select the Endpoints tab from left navigation menu to identify the KMIP endpoint you need to configure. Choose the Private endpoint with type as KMIP.

Only one endpoint is available here unlike the KMIP for VMware offering in IBM Cloud for VMware Solutions. A single hostname balances the load and it is highly available in each region.
In vCenter Server, choose the vCenter object.
Select Configure > Key Providers, and then add a standard key provider.
Verify the details, and click Trust.
Select the new key provider, and then the single server in that provider.
In the Make KMS trust vCenter section, click Establish Trust. Use the vCenter Certificate option that generates a new certificate just for this connection.
Copy the certificate, and click Done.

Before you copy the certificate, wait for the screen to refresh because the certificate details can vary if you copy too quickly.
Return to the KMIP adapters page, and view the details of your KMIP adapter.
Under Adapter details, select the SSL certificates tab. Click Add certificate, and paste the certificate that you copied from vCenter.

The key provider health status might take several minutes to change in the vCenter Server.

Setting the new key provider as default

Set the new key provider as default so that all new virtual machines (VMs) are encrypted by the new key provider.

In vCenter Server, choose the vCenter object.
Go to Configure > Key Providers, select the new key provider, and click Set As Default.

Migrating encrypted resources to the new key provider

You can use the vCenter Server console to migrate some of your encrypted resources to the new key provider. However, in some cases, you must use PowerCLI commands, or you can also use the PowerCLI tool if you have many resources to migrate.

Install PowerCLI on a convenient server with network access to vCenter, and run the Connect-VIServer command to connect to your vCenter. For more information, see PowerCLI Installation Guide.

Migrating vSphere encrypted VMs to the new key provider

If you are operating with a mix of vCenter Server 8 and vSphere 7 hosts, or vSphere 8 hosts on versions earlier than 8u3e, the rekey of the virtual machine can cause it to restart. To resolve this issue, see Encrypted VM with Change Block Tracking (CBT) enabled unexpectedly powers off after shallow rekey operation.

After you set the new key provider to default, select any VM in the inventory. Then, go to Actions > VM Policies > Re-encrypt to do a shallow rekey of the virtual machine to the new key provider.

You can also rekey multiple encrypted virtual machines at the same time by using a PowerCLI script similar to the following sample script:

$kp = Get-KeyProvider <new-kmip>

foreach($vm in Get-VM) {
  if($vm.ExtensionData.Config.KeyId) {
    Set-VM $vm -KeyProvider $kp -Confirm:$false
  }
}

Migrating vSAN encryption to the new key provider

After you set the new key provider to default, rekey both your vSAN cluster and your host encryption keys by for your cluster in the vCenter Server console.

Select Configure > vSAN > Services, then under the Data Services section, click Edit.
Under Data-At-Rest encryption, select your new key provider from the menu, and click Apply. A shallow rekey of vSAN and the host encryption keys for that cluster are completed.

Migrating host encryption to the new key provider

If you are using only vSphere encryption and not vSAN encryption, you must use the PowerCLI tool to rekey the encrypted hosts in your environment. The following sample script shows how to rekey all the encrypted hosts in an environment that is in safe mode, meaning that the environment is issued a host key for encryption of core dumps:

$kp = Get-KeyProvider <new-kmip>

foreach($vmhost in Get-VMHost) {
  if($vmhost.ExtensionData.Runtime.CryptoState -eq "safe") {
    Set-VMHost $vmhost -KeyProvider $kp
  }
}

Deleting the old KMIP provider

After you rekey all the VMs, remove the old key provider in the Server console.

Verifying key provider settings

Before you remove the original key provider, you must verify that your resources are successfully rekeyed by running the following PowerCLI script to display the key provider for all resources:

$vmlist = @()

foreach($vm in Get-VM) {
  $vmlist += [pscustomobject]@{ vm = $vm.name; provider = $vm.ExtensionData.Config.KeyId.ProviderId.Id}
}

$vmlist | Format-Table
$hostlist = @()

foreach($vmhost in Get-VMHost) {
  $vmhostview = Get-View $vmhost
  $hostlist += [pscustomobject]@{ host = $vmhost.name; provider = $vmhostview.Runtime.CryptoKeyId.ProviderId.Id}
}

$hostlist | Format-Table
$clusterlist = @()
$vsanclusterconfig = Get-VsanView -Id "VsanVcClusterConfigSystem-vsan-cluster-config-system"

foreach($cluster in Get-Cluster) {
  $encryption = $vsanclusterconfig.VsanClusterGetConfig($cluster.ExtensionData.MoRef).DataEncryptionConfig
  $clusterlist += [pscustomobject]@{ cluster = $cluster.name; provider = $encryption.KmsProviderId.Id }
}

$clusterlist | Format-Table

Removing the old key provider

Go to IBM Cloud for VMware Solutions console.
Delete the KMIP for VMware instance that is provisioned with the old KMIP provider.

For completeness, delete all the old unused keys that were created by the old KMIP for VMware adapter in the vCenter Server console. You can either delete the keys manually or use a CLI command. You can identify these keys by name, since their names contain vmware_kmip as prefix.

The KMIP keys that are created by the new native adapter are displayed under the Adapter details > KMIP symmetric keys tab of your KMIP adapter.