The DNE Key Manager is the component of the Distributed Network Encryption (DNE) feature that manages the keys used to provide encrypted and authenticated connections between two endpoints within a Software Defined Data Center (SDDC).

To use DNE, you must download and install the DNE Key Manager separately. The DNE Key Manager supports the OVA/OVF deployment method on ESXi.


You must have the NSX-T Enterprise license to use DNE.

The DNE Key Manager communicates with the NSX Manager and Hypervisors across SSL/TLS connections. DNE authenticates and encrypts network traffic for both vSphere and KVM hosts.

Table 1. DNE Key Manager Deployment, Platform, and Installation Requirements



Supported platforms

You can use the vSphere high availability (HA) feature to ensure the availability of the DNE Key Manager is deployed on ESXi.


  • At least eight characters

  • At least one lower-case letter

  • At least one upper-case letter

  • At least one digit

  • At least one special character

  • At least five different characters

  • No dictionary words

  • No palindromes

Port number

8992 for NSX Manager

443 for vSphere or KVM Hosts


Port configuration is handled automatically after a successful installation.

VMware Tools

The DNE Key Manager VM running on ESXi has VMTools installed. Do not remove or upgrade VMTools.

NSX Manager Installation Scenarios

  • After you deploy DNE Key Manager from an OVA/OVF file, you cannot change the VM's IP settings by powering off the VM and modifying the OVA/OVF settings from vCenter Server. If you change the DNE Key Manager IP address, you must re-register it with the management plane.


    The core services on the appliance do not start until a password with sufficient complexity is set.

  • When you install DNE Key Manager from an OVA or OVF file, either from vSphere Web Client or the command line, OVA/OVF property values such as usernames, passwords, or IP addresses are not validated before the VM is powered on. Make sure that the root and admin user passwords meet the password complexity requirements.

  • Your passwords must comply with the password strength restrictions. NSX-T appliances enforce the complexity rules described in the password requirements.

  • The installation succeeds if the password does not meet the requirements. However, when you log in for the first time, you are prompted to change the password.

  • To support backup and restore, the DNE Key Manager must have static management IP addresses. Using DHCP to assign management IP addresses is not supported. Changing management IP addresses is not supported. See NSX-T Administration Guide for backup and restore information.