Depending on which key provider you use, an external key server, the vCenter Server system, and your ESXi hosts are potentially contributing to the encryption solution.

The following components comprise vSphere Virtual Machine Encryption:

  • An external key server, also called a KMS (not required for vSphere Native Key Provider)
  • vCenter Server
  • ESXi hosts

Key Server

The key server is a Key Management Interoperability Protocol (KMIP) management server that is associated with a key provider. A standard key provider and a trusted key provider require a key server. vSphere Native Key Provider does not require a key server. The following table describes the differences in key provider and key server interaction.

Table 1. Key Providers and Key Server Interaction
Key Provider Interaction with Key Server
Standard key provider A standard key provider uses vCenter Server to request keys from a key server. The key server generates and stores the keys, and passes them to vCenter Server for distribution to the ESXi hosts.
Trusted key provider A trusted key provider uses a Key Provider Service that enables the trusted ESXi hosts to fetch the keys directly. See About the vSphere Trust Authority Key Provider Service.
vSphere Native Key Provider vSphere Native Key Provider does not require a key server. vCenter Server generates a primary key and pushes it to the ESXi hosts. The ESXi hosts then generate data encryption keys (even when not connected to vCenter Server). See vSphere Native Key Provider Overview.

You can use the vSphere Client or the vSphere API to add key provider instances to the vCenter Server system. If you use multiple key provider instances, all instances must be from the same vendor and must replicate keys.

If your environment uses different key server vendors in different environments, you can add a key provider for each key server and specify a default key provider. The first key provider that you add becomes the default key provider. You can explicitly specify the default later.

As a KMIP client, vCenter Server uses the Key Management Interoperability Protocol (KMIP) to make it easy to use the key server of your choice.

vCenter Server

The following table describes the role of vCenter Server in the encryption process.

Table 2. Key Providers and vCenter Server
Key Provider Role of vCenter Server How Are Privileges Checked
Standard key provider Only vCenter Server has the credentials for logging in to the key server. Your ESXi hosts do not have those credentials. vCenter Server obtains keys from the key server and pushes them to the ESXi hosts. vCenter Server does not store the key server keys, but keeps a list of key IDs. vCenter Server checks the privileges of users who perform cryptographic operations.
Trusted key provider vSphere Trust Authority removes the need for vCenter Server to request keys from the key server, and makes access to the encryption keys conditional to the attestation state of a workload cluster. You must use separate vCenter Server systems for the Trusted Cluster and Trust Authority Cluster. vCenter Server checks the privileges of users who perform cryptographic operations. Only users who are members of the TrustedAdmins SSO group can perform administrative operations.
vSphere Native Key Provider The vCenter Server generates the keys. vCenter Server checks the privileges of users who perform cryptographic operations.

You can use the vSphere Client to assign cryptographic operation privileges or to assign the No cryptography administrator custom role to groups of users. See Prerequisites and Required Privileges for Encryption Tasks.

vCenter Server adds cryptography events to the list of events that you can view and export from the vSphere Client Event Console. Each event includes the user, time, key ID, and cryptographic operation.

The keys that come from the key server are used as key encryption keys (KEKs).

ESXi Hosts

ESXi hosts are responsible for several aspects of the encryption workflow.

Table 3. ESXi Hosts
Key Provider ESXi Host Aspects
Standard key provider
  • vCenter Server pushes keys to an ESXi host when the host needs a key. The host must have encryption mode enabled. The current user's role must include cryptographic operation privileges. See Prerequisites and Required Privileges for Encryption Tasks and Cryptographic Operations Privileges.
  • Ensuring that guest data for encrypted virtual machines is encrypted when stored on disk.
  • Ensuring that guest data for encrypted virtual machines is not sent over the network without encryption.
Trusted key provider The ESXi hosts run vSphere Trust Authority services, depending on if they are Trusted Hosts or Trust Authority Hosts. Trusted ESXi hosts run workload virtual machines that can be encrypted using key providers published by the Trust Authority Hosts. See Trusted Infrastructure Overview.
vSphere Native Key Provider The ESXi hosts fetch keys directly from the vSphere Native Key Provider.

The keys that the ESXi host generates are called internal keys in this document. These keys typically act as data encryption keys (DEKs).