You can add a standard key provider to your vCenter Server system from the vSphere Client or by using the public API.
The vSphere Client enables you to add a standard key provider to your vCenter Server system, and establish trust between the KMS and vCenter Server.
- You can add multiple Key Management Servers from the same vendor.
- If your environment supports solutions from different vendors, you can add multiple key providers.
- If your environment includes multiple key providers, and you delete the default key provider, you must set another default explicitly.
- You can configure the KMS with IPv6 addresses.
- Both the vCenter Server system and the KMS can be configured with only IPv6 addresses.
Note: If you are configuring a trusted key provider for
vSphere Trust Authority, see
Configuring vSphere Trust Authority in Your vSphere Environment instead of these instructions.
Prerequisites
- Verify that the KMS is in the VMware Compatibility Guide for Key Management Servers (KMS) and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server.
- Verify that you have the required privileges: .
- Ensure that the KMS is highly available. Loss of connection to the KMS, such as during a power outage or a disaster recovery event, renders encrypted virtual machines inaccessible.
- Consider your infrastructure's dependencies on the KMS carefully. Some KMS solutions are delivered as virtual appliances, making it possible to create a dependency loop or other availability problem with poor placement of the KMS appliance.
