vSphere Trust Authority is not enabled by default. You must configure your environment for vSphere Trust Authority before you can start using it.

You enable vSphere Trust Authority services on a dedicated vCenter Server cluster, known as the vSphere Trust Authority Cluster. The Trust Authority Cluster acts as a centralized, secure management platform. You then enable a workload vCenter Server cluster as the Trusted Cluster. The Trusted Cluster contains the ESXi Trusted Hosts.

The Trust Authority Cluster attests the ESXi hosts in the Trusted Cluster remotely. The Trust Authority Cluster releases encryption keys only to attested ESXi hosts in the Trusted Cluster to encrypt virtual machines and virtual disks using trusted key providers.

Before you begin configuring vSphere Trust Authority, see Prerequisites and Required Privileges for vSphere Trust Authority for information on the required setup of vCenter Server systems and ESXi hosts.

You manage different aspects of vSphere Trust Authority in the following ways.

• Configure the vSphere Trust Authority services and trusted connections using PowerCLI cmdlets or the vSphere APIs. See VMware PowerCLI Cmdlets Reference and vSphere Automation SDKs Programming Guide.
• Manage the configuration of trusted key providers using the PowerCLI cmdlets or from the vSphere Client.
• Perform encryption workflows, as in prior vSphere releases, using the vSphere Client and APIs.

To configure and manage vSphere Trust Authority, you use VMware PowerCLI, though some functionality is available in the vSphere Client.

When you configure vSphere Trust Authority, you must complete setup tasks on both the Trust Authority Cluster and the Trusted Cluster. Some of these tasks are order-specific. Use the task sequence outlined in this guide.