vSphere Trust Authority is not enabled by default. You must configure your environment for vSphere Trust Authority before you can start using it.

You enable vSphere Trust Authority services on a dedicated vCenter Server cluster, known as the vSphere Trust Authority Cluster. The Trust Authority Cluster acts as a centralized, secure management platform. You then enable a workload vCenter Server cluster as the Trusted Cluster. The Trusted Cluster contains the ESXi Trusted Hosts.

The Trust Authority Cluster attests the ESXi hosts in the Trusted Cluster remotely. The Trust Authority Cluster releases encryption keys only to attested ESXi hosts in the Trusted Cluster to encrypt virtual machines and virtual disks using trusted key providers.

Before you begin configuring vSphere Trust Authority, see Prerequisites and Required Privileges for vSphere Trust Authority for information on the required setup of vCenter Server systems and ESXi hosts.

You manage different aspects of vSphere Trust Authority in the following ways.

  • Configure the vSphere Trust Authority services and trusted connections using PowerCLI cmdlets or the vSphere APIs. See VMware PowerCLI Cmdlets Reference and vSphere Automation SDKs Programming Guide.
  • Manage the configuration of trusted key providers using the PowerCLI cmdlets or from the vSphere Client.
  • Perform encryption workflows, as in prior vSphere releases, using the vSphere Client and APIs.

Generally, you use VMware PowerCLI to configure and manage vSphere Trust Authority, though some functionality is available in the vSphere Client.

When you configure vSphere Trust Authority, you must complete setup tasks on both the Trust Authority Cluster and the Trusted Cluster. Some of these tasks are order-specific. Use the following task sequence to configure vSphere Trust Authority.

  1. On a system that has access to your vSphere Trust Authority environment:
    • Install PowerCLI 12.1.0 or later. See PowerCLI User's Guide.
    • Verify that Microsoft .NET Framework 4.8 or later is installed.
    • Create a local folder in which to save the Trust Authority information that you export as files.
  2. Add the Trust Authority administrator to the TrustedAdmins group on the vCenter Server of the Trust Authority Cluster.
  3. Add the Trust Authority administrator to the TrustedAdmins group on the vCenter Server of the Trusted Cluster.
  4. Enable the Trust Authority State.
  5. Collect information about the hosts you want to be trusted (the Trusted Hosts) on the Trusted Cluster.
  6. Import the collected Trusted Host information to the Trust Authority Cluster.
  7. Create the Trusted Key Provider on the Trust Authority Cluster.
  8. Export the Trust Authority Cluster information from the Trust Authority Cluster.
  9. Import the exported Trust Authority Cluster information to the Trusted Cluster.
  10. Configure the Trusted Key Provider for the Trusted Hosts on the Trusted Cluster.
Note: When adding more ESXi hosts to the Trusted Cluster after completing the initial vSphere Trust Authority setup, you might need to export and import the Trusted Host information again. That is, if the new ESXi hosts differ from the original hosts, you must collect the new ESXi host information and import it to the Trust Authority Cluster. See Adding and Removing vSphere Trust Authority Hosts.