You add a Key Management Server (KMS) to your vCenter Server system from the vSphere Web Client.
vCenter Server creates a KMS cluster when you add the first KMS instance. If you configure the KMS cluster on two or more vCenter Servers, make sure you use the same KMS cluster name.
Do not deploy your KMS servers on the vSAN cluster you plan to encrypt. If a failure occurs, hosts in the vSAN cluster must communicate with the KMS.
When you add the KMS, you are prompted to set this cluster as a default. You can later change the default cluster explicitly.
After vCenter Server creates the first cluster, you can add KMS instances from the same vendor to the cluster.
You can set up the cluster with only one KMS instance.
If your environment supports KMS solutions from different vendors, you can add multiple KMS clusters.
Verify that the key server is in the vSphere Compatibility Matrixes and is KMIP 1.1 compliant.
Verify that you have the required privileges:
Connecting to a KMS by using only an IPv6 address is not supported.
Connecting to a KMS through a proxy server that requires user name or password is not supported.
- Log in to the vCenter Server system with the vSphere Web Client.
- Browse the inventory list and select the vCenter Server instance.
- Click Configure and click Key Management Servers.
- Click Add KMS, specify the KMS information in the wizard, and click OK.
Select Create new cluster for a new cluster. If a cluster exists, you can select that cluster.
Name for the KMS cluster. You can use this name to connect to the KMS if your vCenter Server instance becomes unavailable.
Alias for the KMS. You can use this alias to connect to the KMS if your vCenter Server instance becomes unavailable.
IP address or FQDN of the KMS.
Port on which vCenter Server connects to the KMS.
Optional proxy address for connecting to the KMS.
Optional proxy port for connecting to the KMS.
Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a user name only if your KMS supports this functionality, and if you intend to use it.
Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a password only if your KMS supports this functionality, and if you intend to use it.