As a tenant, refer to the content in this chapter to learn how to configure and manage encryption with VMware Cloud Director Encryption Management.

Encrypting objects in VDCs

With VMware Cloud Director Encryption Management, you can encrypt VMs, vApp templates and non-shared named disks in your VDCs with keys from your key provider. Encryption of VMs with Virtual Trusted Platform Module (vTPM) is also supported. Encrypting objects with VMware Cloud Director Encryption Management works the same way as encryption normally does in VMware Cloud Director. For more details about encryption in VMware Cloud Director, refer to this topic in the VMware Cloud Director Documentation.

Set up key provider

You set up your key provider for encryption by authenticating to it with your credentials and setting up your encryption policies.

Prerequisites

  • You have a third-party key provider account and access to the key provider credentials.
  • Your cloud provider has already registered and published the key provider to your organization.
  • You must have a tenant role which grants you the right to configure key providers.

Procedure

  1. From the side navigation bar, expand More and select Encryption Management.
  2. In the card of an available key provider, click Configure.
  3. Fill in your vCenter Server user credentials or the client certificate and private key of your key provider and click REGISTER.
    Some key providers support only one authentication method while others may give you choice. For more information, refer to the documentation of your key provider.
  4. Generate a new key in your key provider.
    1. Select a key type.
      • To use the same encryption key for all objects, select Use the same key every time and click GENERATE KEY. Alternatively you can paste the ID of a pre-generated key.
        Note: You must use AES-256 key type. For more information on how to find a key ID in your key provider, refer to the documentation of your key provider.
      • To use a unique encryption key for all objects, select Generate a new key every time.
    2. (Optional) Specify a rotation schedule for your encryption keys.
      You can rotate your encryption keys on daily, weekly, or monthly basis.
      Filling in key rotation schedule details in VMware Cloud Director Encryption Management.
  5. Select which organization VDCs will use this key for encryption.
  6. Select a storage policy.
    • To use the encyption key for all existing storage policies in your VDC, select All storage policies.
    • To use the encryption key for specific storage policies only, select Specific storage policies and click the check boxes next to the listed storage policie names.
  7. Review your encryption details and click SUBMIT.

Results

The encryption process runs in the background, re-encrypting all affected objects with the specified key.

Configure virtual data center encryption policy

You can encrypt virtual data centers (VDCs) without an associated key provider or override the encryption of already encrypted VDCs.

Procedure

  1. From the side navigation bar, expand More and select Encryption Management.
  2. Click the name of the key provider you want to use.
  3. Click ENCRYPT ORG VDCS.
  4. Generate a new key in your key provider.
    1. Select a key type.
      • To use the same encryption key for all objects, select Use the same key every time and click GENERATE KEY. Alternatively you can paste the ID of a pre-generated key.
        Note: You must use AES-256 key type. For more information on how to find a key ID in your key provider, refer to the documentation of your key provider.
      • To use a unique encryption key for all objects, select Generate a new key every time.
    2. (Optional) Specify a rotation schedule for your encryption keys.
      You can rotate your encryption keys on daily, weekly, or monthly basis.
  5. Select which organization VDCs will use this key for encryption.
  6. Select a storage policy.
    • To use the encyption key for all existing storage policies in your VDC, select All storage policies.
    • To use the encryption key for specific storage policies only, select Specific storage policies and click the check boxes next to the listed storage policie names.
  7. Review your encryption details and click SUBMIT.

Results

The encryption process runs in the background, re-encrypting all affected objects with the specified key.

Change virtual data center encryption policy

You can change the encryption policy details of your virtual data center (VDC).

Procedure

  1. From the side navigation bar, expand More and select Encryption Management.
  2. Click the name of the key provider you want to use.
  3. Under Encryption Policies, next to your VDC, click the vertical-ellipsis icon (Vertical-ellipsis icon) and click Edit Encryption Policy.
  4. Change the encryption key type and rotation schedule.
    1. Select a key type.
      • To use the same key for all objects in your VDC, select Use the same key every time and click GENERATE KEY. Alternatively you can paste the ID of a pre-generated key.
        Note: You must use AES-256 key type. For more information on how to find a key ID in your key provider, refer to the documentation of your key provider.
      • To use a dedicated encryption key for all objects in your VDC, select Generate a new key every time.
    2. (Optional) Specify a rotation schedule for your encryption keys.
      You can rotate your encryption keys on daily, weekly, or monthly basis.
  5. (Optional) Change your storage policy.
    • To use the encyption key for all existing storage policies in your VDC, select All storage policies.
    • To use the encryption key for specific storage policies only, select Specific storage policies and click the check boxes next to the listed storage policie names.
    Note: If you change your storage policy encryption from All storage policies to Specific storage policies, newly created storage policies on the selected organisation VDC are not assigned automatically to your encryption policy. You must manually select and assign these from the list.
  6. Review your changes and click SUBMIT.

Results

The encryption process runs in the background, re-encrypting all affected objects with the specified key.

Remove virtual data center encryption policy

You can deactivate the encryption of a virtual data center (VDC) by removing the policy used for encryption.

Prerequisites

To remove your current encyption policy, your vCenter instance must be configured with a default key provider. Alternativelty, if no default key provider is configured and there are encrypted objects in that VDC, when you deactivate the encryption policy, the objects in the VDC become unreachable after being powered off. For more information, refer to the vCenter documentation.

Procedure

  1. From the side navigation bar, expand More and select Encryption Management.
  2. Click the name of the key provider used to encrypt the VDC you want to manage.
  3. Under Encryption Policies, next to your VDC, click the vertical-ellipsis icon (Vertical-ellipsis icon) and click Remove Encryption Policy.
  4. Remove the encyption policy.
    • To remove your encryption policy and use the default key provider that you configured in your vCenter instance, select Re-encrypt using the Default Key Provider and click REMOVE.
    • To remove your encryption policy without specifying a new policy, select Do not re-encrypt.
      1. (Optional) To remove the encyption keys that are cached in vSphere, select Purge keys cache.
      2. (Optional) To power off your encrypted objects, select Power Off encrypted VMs.
      3. Enter the name of your VDC and click REMOVE.

Results

The process runs in the background for all affected objects.