You add a Key Management Server (KMS) to your vCenter Server system from the vSphere Client.

vCenter Server creates a KMS cluster when you add the first KMS instance. If you configure the KMS cluster on two or more vCenter Servers, make sure you use the same KMS cluster name.

Note: Do not deploy your KMS servers on the vSAN cluster you plan to encrypt. If a failure occurs, hosts in the vSAN cluster must communicate with the KMS.
  • When you add the KMS, you are prompted to set this cluster as a default. You can later change the default cluster explicitly.
  • After vCenter Server creates the first cluster, you can add KMS instances from the same vendor to the cluster, and configure all KMS instances to synchronize keys among them. Use the method documented by your KMS vendor.
  • You can set up the cluster with only one KMS instance.
  • If your environment supports KMS solutions from different vendors, you can add multiple KMS clusters.

Prerequisites

  • Verify that the key server is in the vSphere Compatibility Matrixes and is KMIP 1.1 compliant.
  • Verify that you have the required privileges: Cryptographer.ManageKeyServers
  • Connecting to a KMS by using only an IPv6 address is not supported.
  • Connecting to a KMS through a proxy server that requires user name or password is not supported.

Procedure

  1. Log in to the vCenter Server.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure and click Key Management Servers.
  4. Click Add, specify the KMS information in the wizard, and click Add.
    Option Value
    KMS cluster Select Create new cluster for a new cluster. If a cluster exists, you can select that cluster.
    Cluster name Name for the KMS cluster. You can use this name to connect to the KMS if your vCenter Server instance becomes unavailable.
    Server alias Alias for the KMS. You can use this alias to connect to the KMS if your vCenter Server instance becomes unavailable.
    Server address IP address or FQDN of the KMS.
    Server port Port on which vCenter Server connects to the KMS.
    Proxy address Optional proxy address for connecting to the KMS.
    Proxy port Optional proxy port for connecting to the KMS.
    User name Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a user name only if your KMS supports this functionality, and if you intend to use it.
    Password Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a password only if your KMS supports this functionality, and if you intend to use it.