KMIP for VMware overview
Key Management Interoperability Protocol (KMIP™) for VMware® support for Key Protect will end on 16 July 2026, after which interoperability with the Key Protect service will no longer work. Migrate to IBM® Key Protect for IBM Cloud®.
This announcement is applicable only to customers who are using the KMIP for VMware support for Key Protect. Customers who are using KMIP for VMware support for Hyper Protect Crypto Services (HPCS) remain unaffected by this announcement. The KMIP for VMware support for HPCS continues to function as usual without any impact.
The Key Management Interoperability Protocol (KMIP™) for VMware® service provides a highly available service to manage encryption keys that are used by VMware in IBM Cloud®. This service offers runtime capability to allow customers to create, retrieve, activate, revoke, and delete the encryption keys. It also provides management capability to maintain the associations between the client credentials and the encryption keys.
The KMIP for VMware service is available as a stand-alone service without being associated to a VMware instance. Each instance of the service can serve one or more VMware Cloud Foundation for Classic - Automated or VMware Cloud Foundation for Classic - Flexible instances.
The following client applications are supported:
- vCenter Server 6.7, 7.0, and 8.0
- vSphere 6.7 and 7.0
Technical specifications for KMIP for VMware
For more information about resource requirements and planning for KMIP for VMware, see Planning for KMIP for VMware.
The following specifications are included with the KMIP for VMware service:
- A VMware-compatible KMIP
- Two managed services - Key Protect and Hyper Protect Crypto Services
- Available in multiple geographic regions worldwide
- Highly available KMIP network service endpoints provided in each region
Before you order KMIP for VMware
KMIP for VMware uses either the IBM Key Protect service or the IBM Hyper Protect Crypto Services (HPCS) service to create, encrypt, and decrypt encryption keys.
Before you install KMIP for VMware, complete the following tasks and review the following information:
-
Order a usable Key Protect or HPCS service instance in the IBM Cloud region where your KMIP for VMware instance is to be hosted. If you are using HPCS, in addition to provisioning the HPCS service, you must also initialize your crypto instance so that HPCS can provide key-related functions.
For more information, see the following topics:
-
If you are using Key Protect, complete the following tasks:
- Create an IBM Cloud service ID by following the steps in Creating a service ID in the console. This service ID is used to access the Key Protect instance that you created.
- Grant the following access levels for the service ID:
- At the platform access level: Viewer authority to your Key Protect or HPCS service instance.
- At the service access level: Manager authority to your Key Protect or HPCS service instance.
- You must have an API key for the created service ID. The API key is required when you order the service.
-
Import or create at least one customer root key (CRK) by using the GUI or API of Key Protect or HPCS.
If you are using HPCS, the CRK must be created within the default key ring for the HPCS instance.
For more information about Key Protect, see the following topics:
For more information about HPCS, see the following topics:
-
Ensure that your IBM Cloud infrastructure account is enabled for Virtual Routing and Forwarding (VRF) and for connectivity to service endpoints.
For more information, see the following topics:
Only private connection is supported. As a result, you don't need to configure firewall or SNAT rules in vCenter Server for the network connectivity from vCenter Server to the endpoint of the KMIP for VMware instance. For more information, see KMIP for VMware solution architecture.