Starting in vSphere 7.0 Update 2, you can use the built-in vSphere Native Key Provider to power encryption-based virtual TPMs (vTPM).

vSphere Native Key Provider is included in all vSphere editions and does not require an external key server (Key Management Server). You can also use vSphere Native Key Provider for vSphere Virtual Machine Encryption, but you must purchase the vSphere Enterprise+ edition.

What Is vSphere Native Key Provider?

With a standard key provider or trusted key provider, you must configure an external key server. In a standard key provider setup, vCenter Server fetches the keys from the external key server and distributes them to the ESXi hosts. In a trusted key provider (vSphere Trust Authority) setup, the trusted ESXi hosts fetch the keys directly.

With vSphere Native Key Provider, an external key server is not needed. vCenter Server generates a primary key and pushes it to all ESXi hosts in the cluster. The ESXi hosts then generate data encryption keys (even when not connected to vCenter Server) to enable security functionality such as vTPM (included in all vSphere editions). You can use vSphere Native Key Provider for vSphere Virtual Machine Encryption provided you have purchased the vSphere Enterprise+ edition. vSphere Native Key Provider can coexist with an existing key server infrastructure.

vSphere Native Key Provider:

  • Removes the dependency on a third-party key server. However, vSphere Native Key Provider is not intended to replace an existing key server.
  • Provides a solution for deployments that do not require full KMS functionality, such as KMIP-based interoperability for other solutions.
  • Provides a path to transition to a fully functional key server. vSphere Native Key Provider is compatible with the VMware standard key provider and the vSphere Trust Authority trusted key provider.
  • Covers the needs of organizations that either cannot use, or choose not to use, an external key server.
  • Works in an environment consisting of multiple vCenter Server systems in an Enhanced Linked Mode configuration.
  • Is an enabler for encryption-based virtual TPMs (vTPMs).
  • Can be used to encrypt virtual machines with the purchase of the vSphere Enterprise+ edition that includes vSphere Virtual Machine Encryption. vSphere Virtual Machine Encryption works with vSphere Native Key Provider as it does with VMware standard and trusted key providers.
  • Is for use within VMware infrastructure products. If your organization requires KMS functionality for non-VMware products and components, install a traditional, third-party key server.
  • Cannot be used with non-VMware products. If you want to provide encryption for both VMware and non-VMware products, you must use a fully functional third-party key server.

vSphere Native Key Provider Requirements

  • vSphere 7.0 Update 2 and later.
  • To use vSphere Native Key Provider, ESXi hosts must be in a cluster.
  • To perform VM encryption using vSphere Native Key Provider, you must purchase the vSphere Enterprise+ edition.

vSphere Native Key Provider Privileges

As with standard and trusted key providers, vSphere Native Key Provider uses the Cryptographer.* privileges. In addition, vSphere Native Key Provider uses the Cryptographer.ReadKeyServersInfo privilege, which is specific to vSphere Native Key Providers, to list vSphere Native Key Providers. See Cryptographic Operations Privileges.

vSphere Native Key Provider Alarms

You must back up a vSphere Native Key Provider. When a vSphere Native Key Provider is not backed up, vCenter Server generates an alarm. When you back up the vSphere Native Key Provider for which an alarm was generated, vCenter Server resets the alarm. By default, vCenter Server checks for backed-up vSphere Native Key Providers once a day. You can change the checking interval by modifying the vpxd.KMS.backupCheckInterval option.

vSphere Native Key Provider Periodic Remediation Check

vCenter Server checks periodically that the vSphere Native Key Provider configuration on vCenter Server and ESXi hosts matches. When a host state changes, for example, when you add a host to the cluster, the key provider configuration on the cluster drifts away from the configuration on the host. If the configuration (keyID) differs on the host, vCenter Server updates the host's configuration automatically. No manual intervention is required.

By default, vCenter Server checks the configuration every five minutes. You can modify the interval by using the vpxd.KMS.remediationInterval option.