As a cloud provider, refer to the content in this chapter to learn how to set up VMware Cloud Director Encryption Management for your tenants.

Before you begin

Before you install and configure the VMware Cloud Director Encryption Management solution, you must first prepare your environment.

The VMware Cloud Director Encryption Management appliance requires your VMware Cloud Director environment to be configured in a specific way. To prepare all components in your environment, make sure you meet the requirements in the following table.

Product Requirements
vSphere
  • A default key provider must be defined.

    The default key provider is used in the scenario of unpublishing a key provider from a tenant. This key provider is also used for encryption if a VM is deployed with an encrypted storage policy and the tenant has not yet configured a default key provider for their organization VDC.

    Note:

    For vSphere 8.0 and later, a native or standard key provider may be configured as the default one. For all other versions, a standard key provider must be configured as the default key provider. For more details about vSphere encryption support, refer to Virtual Machine Encryption Interoperability in the vSphere Documentation.

VMware Cloud Director
  • Running version 10.5.1
  • Configure an organization VDC capable of running VMs as the solution landing zone for the VMware Cloud Director Encryption Management solution add-on.

    Refer to Configure Solution Landing Zone in the VMware Cloud Director Documentation.

  • The smallest appliance size for VMware Cloud Director Encryption Management solution is 2 vCPU and 4 GB memory. Larger sizes are available but not needed unless you are supporting encryption of many objects. You must secure enough resources in your solution landing zone to run the appliance.

  • One or more storage policies with encryption enabled (VM Encryption Policy) added to your provider VDC and organization VDCs.

Key Provider

  • Obtain the key provider's IP address, port, and proxy settings.

  • vCentre Server must have network connectivity to the key provider. The default key provider port is 5696.

VMware Cloud Director Encryption Management

Installing VMware Cloud Director Encryption Management

You install VMware Cloud Director Encryption Management on a configured VMware Cloud Director solution landing zone.

Prerequisites

Make sure your environment is prepared.

Procedure

  1. Open the VMware Cloud Director provider portal.
  2. On the top navigation bar, click More > Solution Add-On Management.
  3. Click UPLOAD.
  4. Click Browse Files and select the VMware Cloud Director Encryption Management ISO on your local drive.
  5. Make sure Create add-on instance after upload is completed is checked.
  6. Click UPLOAD.
  7. Once the upload is completed, click Finish.
  8. Accept the VMware license agreement.
  9. Enter the solution input parameters.
    1. Enter a name for the VMware Cloud Director Encryption Management add-on instance.
    2. Select the deployment configuration.
    3. (Optional) Enter the name of an existing global role which will be granted full access to VMware Cloud Director Encryption Management.
      The default global role is the built-in Organization Administrator. If the specified global role does not exist in the system, the solution will still operate but no access is granted to tenants. In order to grant access, follow these steps after the installation is complete.
    4. Click Next.
  10. On the final step of the wizard, review the details and click Finish.

Results

The solution is being installed with a PENDING installation status. Wait until the installation status is READY and reload the browser page, before proceeding with configuring VMware Cloud Director Encryption Management.

Register key provider with VMware Cloud Director Encryption Management

You register a key provider with VMware Cloud Director Encryption Management and associate it with a vCenter Server.

Prerequisites

  • Verify that VMware Cloud Director Encryption Management is installed in your environment.
  • Obtain the IP address and port of the key provider you are registering. The default port is 5696.

Procedure

  1. On the top navigation bar, click More > Encryption Management.
    If this is the first key provider you are registering, an introductory page is displayed.
  2. To register a key provider, click Get Started or Register.
  3. Fill in the key provider details.
    Filling in key provider details in VMware Cloud Director Encryption Management.
    1. Enter a key provider name.
    2. (Optional) Enter a description.
      This description will be visible to tenant administrators.
    3. (Optional) To upload an icon from your local drive, click Browse.
    4. Enter the key provider's IP address and port.
    5. (Optional) To set up a proxy, expand PROXY SETTINGS and enter the proxy address and port.
    6. Click Next.
  4. Select the vCenter Server to be associated with the key provider.
    If you are registering a key provider with a selected vCenter Server for the first time, you are prompted to enter the vCenter Server username and password.
  5. Click Register.
    You are prompted to validate and trust the key provider certificate.

Publish key provider to tenant organization

To grant tenant access to a key provider, you publish a key provider registered in VMware Cloud Director Encryption Management to a tenant organization.

Procedure

  1. On the top navigation bar, click More > Encryption Management.
  2. Next to the key provider you want to publish, click the vertical-ellipsis icon (Vertical-ellipsis icon) > Publish.
  3. From the list of organizations, select the ones you want to publish the key provider to.
  4. Click PUBLISH.

Unpublish key provider from a tenant

If you want to revoke a tenant organization's access to a key provider, you can unpublish the key provider from their organization.

Prerequisites

To unpublish a key provider, vSphere must be configured with a default key provider or there must be no tenant objects encrypted with the key provider you want to unpublish.

Procedure

  1. On the top navigation bar, click More > Encryption Management.
  2. Click the name of the key provider you want to unpublish.
  3. Next to the organization you want to unpublish the key provider from, click the vertical-ellipsis icon (Vertical-ellipsis icon) and click Unpublish.
  4. Move the slider to the right, review the information and if you agree, select the check box, and click UNPUBLISH.

Results

The unpublish process runs in the background. The organization is revoked access to the key provider and all affected objects are re-encrypted with vSphere's default key provider.

Edit key provider

You can edit a registered key provider's details and network configuration.

Important:

If you edit the network configuration of a key provider, all tenants with access to the key provider must re-authenticate to it before they can use it again. Failiure to authenticate after changing the network configuration may prevent tenants from performing operations on existing encrypted objects as well as create new encrypted ones. You are responsible of notifying your tenants about this change.

Procedure

  1. On the top navigation bar, click More > Encryption Management.
  2. Click the name of the key provider you want to edit.
  3. Click Edit.
  4. Edit the key provider details.
    1. Enter a key provider name.
    2. (Optional) Enter a description.
    3. (Optional) To upload an icon from your local drive, click Browse.
    4. Enter the key provider's IP address and port.
    5. (Optional) To set up a proxy, expand PROXY SETTINGS and enter the proxy address and port.
    6. Click SUBMIT.