You must consider hardware and software requirements when configuring vSphere Trust Authority. You must set cryptographic privileges and roles to use encryption. The user who performs vSphere Trust Authority tasks must have the appropriate privileges.
Requirements for vSphere Trust Authority
To use vSphere Trust Authority, your vSphere environment must meet these requirements:
- ESXi Trusted Host hardware requirements:
- TPM 2.0
- Secure boot must be enabled
- EFI firmware
- Component requirements:
- vCenter Server 7.0 or later
- A dedicated vCenter Server system for the vSphere Trust Authority Cluster and ESXi hosts
- A separate vCenter Server system for the Trusted Cluster and ESXi Trusted Hosts
- A key server (called a Key Management Server, or KMS, in prior vSphere releases)
- Virtual machine requirements:
- EFI firmware
- Secure Boot Enabled
Cryptography Privileges
vSphere Trust Authority does not introduce any new cryptography privileges. The same cryptography privileges described in Cryptography Privileges and Roles apply to vSphere Trust Authority.
Host Encryption Mode
vSphere Trust Authority does not introduce any new requirements for enabling host encryption mode on the ESXi Trusted Hosts. See Prerequisites and Required Privileges for Encryption Tasks for more information about host encryption mode.
About the vSphere Trust Authority Roles and the TrustedAdmins Group
vSphere Trust Authority operations require a user that is a member of the TrustedAdmins group. This user is called the Trust Authority administrator. vSphere administrators must either add themselves to the TrustedAdmins group or add other users to the group to gain the Trusted Infrastructure administrator role. The Trusted Infrastructure administrator role is necessary for vCenter Server authorization. The TrustedAdmins group is necessary for authentication on the ESXi hosts that are part of the Trusted Infrastructure. Users with the privilege on ESXi hosts can manage the Trusted Cluster. The vCenter Server permissions are not propagated to the Trust Authority hosts, only to the Trusted Hosts. Only members of the TrustedAdmins group are granted privileges on the Trust Authority hosts. Group membership is verified on the ESXi host itself.
After vSphere Trust Authority is enabled, Trust Authority administrators can assign trusted key providers to Trusted Hosts. Those Trusted Hosts can then use the trusted key providers to perform cryptographic tasks.
In addition to the Trusted Infrastructure administrator role, vSphere Trust Authority provides the No Trusted Infrastructure administrator role, which contains all privileges in vCenter Server except the ones that call the vSphere Trust Authority APIs.
vSphere Trust Authority groups, roles, and users function as follows:
- On first boot, vSphere grants the TrustedAdmins group the Trusted Infrastructure administrator role, which has global permissions.
- The Trusted Infrastructure administrator role is a system role that has the required privileges to call the vSphere Trust Authority APIs (TrustedAdmin.*), and the system privileges System.Read, System.View, and System.Anonymous to view inventory objects.
- The No Trusted Infrastructure administrator role is a system role that contains all privileges in vCenter Server except the ones to call the vSphere Trust Authority APIs. Adding new privileges to vCenter Server also adds them to the No Trusted Infrastructure administrator role. (The No Trusted Infrastructure administrator role is similar to the No cryptography administrator role.)
- The vSphere Trust Authority privileges (TrustedAdmin.* APIs) are not included in the No cryptography administrator role, preventing users with this role from setting up a Trusted Infrastructure or performing cryptographic operations.
The use cases for these users, groups, and roles, are shown in the following table.
User, Group, or Role | Can Call vSphere Trust Authority vCenter Server API (Includes Calls to vSphere Trust Authority ESXi API) | Can Call vSphere Trust Authority vCenter Server API (Does Not Include Calls to vSphere Trust Authority ESXi API) | Can Perform Host Operations in Cluster Not Related to vSphere Trust Authority | Comment |
---|---|---|---|---|
User in both Administrators@system.domain group and TrustedAdmins@system.domain group | Yes | Yes | Yes | NA |
User in TrustedAdmins@system.domain group only | Yes | Yes | No | Such a user cannot perform regular cluster management operations. |
User in Administrators@system.domain group only | Yes | No | Yes | NA |
User with Trusted Infrastructure administrator role but not in TrustedAdmins@system.domain group | Yes | No | No | The ESXi host checks the group membership of the user to grant permissions. |
User with No Trusted Infrastructure administrator role only | No | No | Yes | Such a user is similar to an administrator who cannot perform vSphere Trust Authority operations. |