As a tenant, refer to the content in this chapter to learn how to configure and manage encryption with VMware Cloud Director Encryption Management.

Encrypting objects in VDCs

With VMware Cloud Director Encryption Management, you can encrypt VMs, vApp templates and non-shared named disks in your VDCs with keys from your key provider. Encryption of VMs with Virtual Trusted Platform Module (vTPM) is also supported. Encrypting objects with VMware Cloud Director Encryption Management works the same way as encryption normally does in VMware Cloud Director. For more details about encryption in VMware Cloud Director, refer to this topic in the VMware Cloud Director Documentation.

Set up key provider

You set up your key provider for encryption by authenticating to it with your credentials and setting up an encryption key.

Prerequisites

  • You have a third-party key provider account and access to the key provider credentials.
  • Your cloud provider has already registered and published the key provider to your organization.
  • You must have a tenant role which grants you the right to configure key providers.

Procedure

  1. On the top navigation bar, click More > Encryption Management.
  2. In the card of an available key provider, click Configure.
  3. Fill in the user credentials or client certificate of your key provider and click Register.
    Some key providers support only one authentication method while others may give you choice. For more information, refer to the documentation of your key provider.
  4. Add a key for encryption.
    1. To generate a new key in your key provider, click GENERATE KEY
    2. (Optional) For a pre-generated key, paste the key ID.
      Note:

      You must ensure that the key is of type AES-256. For more information on how to find a key ID in your key provider, refer to the documentation of your key provider.

    The key ID returned by the key provider is displayed. The format of keys may vary for different key providers.
  5. Select one or more organization VDCs whose VMs, vApp templates and non-shared named disks you want to encrypt with this key and click SUBMIT.

Results

All encrypted objects in the selected organization VDCs are re-encrypted in the background with the selected encryption key. All newly created objects in the VDCs will also be encrypted with the encryption key.

Configure virtual data center encryption

You can encrypt virtual data centers (VDCs) without an associated key provider or override the encryption of already encrypted VDCs.

Procedure

  1. On the top navigation bar, click More > Encryption Management.
  2. Click the name of the key provider you want to use.
  3. Click ENCRYPT ORG VDCS.
  4. To generate a new key in your key provider, click GENERATE KEY, or alternatively paste the ID of a pre-generated key.
    Note:

    You must ensure that the key is of type AES-256. For more information on how to find a key ID in your key provider, refer to the documentation of your key provider.

  5. Select which organization VDCs will use this key for encryption.
  6. Click SUBMIT.

Results

The encryption process runs in the background, re-encrypting all affected objects with the specified key.

Change virtual data center encryption key

You can change the encryption key of an encrypted virtual data center (VDC).

Procedure

  1. On the top navigation bar, click More > Encryption Management.
  2. Click the name of the key provider you want to use.
  3. Next to the VDC, click the vertical-ellipsis icon (Vertical-ellipsis icon) and click Change Key.
  4. To generate a new key in your key provider, click GENERATE KEY, or alternatively paste the ID of a pre-generated key.
  5. Confirm that you want to perform the operation and click SUBMIT.

Results

The encryption process runs in the background, re-encrypting all affected objects with the specified key.

Deactivate virtual data center encryption

You can deactivate the encryption of a virtual data center (VDC) by removing the key used for encryption.

Prerequisites

vSphere must either be configured with a default key provider or there must be no encrypted objects in the VDC. If no default key provider is configured and there are encrypted objects in that VDC, you cannot deactivate the VDC encryption. For more information, refer to the vSphere Documentation.

Procedure

  1. On the top navigation bar, click More > Encryption Management.
  2. Click the name of the key provider used to encrypt the VDC you want to manage.
  3. Next to the VDC, click the vertical-ellipsis icon (Vertical-ellipsis icon) and click Remove Key From Org VDC.
  4. Move the slider to the right, review the information, and click UNREGISTER.

Results

The process runs in the background, re-encrypting all affected objects with the default key provider configured in vSphere.