You can add a standard key provider to your vCenter Server system from the vSphere Client or by using the public API.

The vSphere Client enables you to add a standard key provider to your vCenter Server system, and establish trust between the KMS and vCenter Server.

  • You can add multiple Key Management Servers from the same vendor.
  • If your environment supports solutions from different vendors, you can add multiple key providers.
  • If your environment includes multiple key providers, and you delete the default key provider, you must set another default explicitly.
  • You can configure the KMS with IPv6 addresses.
    • Both the vCenter Server system and the KMS can be configured with only IPv6 addresses.
Note: If you are configuring a trusted key provider for vSphere Trust Authority, see Configuring vSphere Trust Authority in Your vSphere Environment instead of these instructions.

Prerequisites

  • Verify that the KMS is in the VMware Compatibility Guide for Key Management Servers (KMS) and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server.
  • Verify that you have the required privileges: Cryptographic operations.Manage key servers.
  • Ensure that the KMS is highly available. Loss of connection to the KMS, such as during a power outage or a disaster recovery event, renders encrypted virtual machines inaccessible.
  • Consider your infrastructure's dependencies on the KMS carefully. Some KMS solutions are delivered as virtual appliances, making it possible to create a dependency loop or other availability problem with poor placement of the KMS appliance.

Procedure

  1. Log in to the vCenter Server system with the vSphere Client.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure, and under Security click Key Providers.
  4. Click Add Standard Key Provider, enter the key provider information, and click Add Key Provider.
    You can click Add KMS to add more Key Management Servers.
  5. Click Trust.
    vCenter Server adds the key provider and displays the status as Connected.

What to do next

See Establish a Standard Key Provider Trusted Connection by Exchanging Certificates.