IBM Cloud Docs
KMIP for VMware overview

KMIP for VMware overview

The Key Management Interoperability Protocol (KMIP™) for VMware® service provides a highly available service to manage encryption keys that are used by VMware in IBM Cloud®. This service offers runtime capability to allow customers to create, retrieve, activate, revoke, and destroy the encryption keys. It also provides management capability to maintain the associations between the client credentials and the encryption keys.

The KMIP for VMware service is available as a stand-alone service without being associated to a VMware instance. Each instance of the service can serve one or more VMware Cloud Foundation for Classic - Automated or VMware Cloud Foundation for Classic - Flexible instances.

The supported client applications are:

  • vCenter Server 6.7, 7.0, and 8.0
  • vSphere 6.7 and 7.0

Technical specifications for KMIP for VMware

For more information about resource requirements and planning for KMIP for VMware, see Planning for KMIP for VMware.

The following specifications are included with the KMIP for VMware service:

  • A VMware-compatible KMIP
  • Two managed services - Key Protect and Hyper Protect Crypto Services
  • Available in multiple geographic regions worldwide
  • Highly available KMIP network service endpoints provided in each region

Before you order KMIP for VMware

KMIP for VMware uses either the IBM Key Protect service or the IBM Hyper Protect Crypto Services (HPCS) service to create, encrypt, and decrypt encryption keys.

Before you install KMIP for VMware, complete the following tasks and review the following information:

  1. Order a usable Key Protect or HPCS service instance in the IBM Cloud region where your KMIP for VMware instance is to be hosted. If you are using HPCS, in addition to provisioning the HPCS service, you must also initialize your crypto instance so that HPCS can provide key-related functions.

    For more information, see:

  2. If you are using Key Protect, complete the following tasks:

    1. Create an IBM Cloud service ID by following the steps in Creating a service ID in the console. This service ID is used to access the Key Protect instance that you created.
    2. Grant the following access levels for the service ID:
      • At the platform access level - Viewer authority to your Key Protect or HPCS service instance.
      • At the service access level - Manager authority to your Key Protect or HPCS service instance.
    3. You must have an API key for the created service ID. The API key is required when you order the service.

  3. Import or create at least one customer root key (CRK) by using the GUI or API of Key Protect or HPCS.

    If you are using HPCS, the CRK must be created within the default key ring for the HPCS instance.

    For more information about Key Protect, see:

    For more information about HPCS, see:

  4. Ensure that your IBM Cloud infrastructure account is enabled for Virtual Routing and Forwarding (VRF) and for connectivity to service endpoints.

    For more information, see:

Only private connection is supported. As a result, you don't need to configure firewall or SNAT rules in vCenter Server for the network connectivity from vCenter Server to the endpoint of the KMIP for VMware instance. For more information, see KMIP for VMware solution architecture.