In case you must restore the key provider configuration, backing up a vSphere Native Key Provider is required as part of a disaster recovery scenario. You can use the vSphere Client, PowerCLI, or API to back up the vSphere Native Key Provider.

vSphere Native Key Provider is backed up as part of the vCenter Server file-based backup. However, you must back up the vSphere Native Key Provider at least once before you can use it. When you create a vSphere Native Key Provider, it is not backed up.

A backup is necessary in case you must restore the configuration. Keep the backup file in a secure location. You can password-protect the backup when you create it. The backup file is in PKCS#12 format.

vCenter Server creates an alarm if a vSphere Native Key Provider has not been backed up. You can acknowledge the alarm, but it reappears every 24 hours until you have backed up the vSphere Native Key Provider.

Prerequisites

Required privilege: Cryptographic operations.Manage key servers

Note: To back up the vSphere Native Key Provider, you must log in using the vCenter Server FQDN. If you log in using the vCenter Server IP address, the backup does not finish. In an Enhanced Link Mode configuration, you must perform the backup on the vCenter Server that the key provider belongs to.

Procedure

  1. Log in to the vCenter Server system with the vSphere Client.
    Log in using the vCenter Server FQDN. If you use the IP address to log in, the backup does not finish.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure, and under Security click Key Providers.
  4. Select the vSphere Native Key Provider you want to back up.
    A status of "Not backed up" appears for key providers that you have not backed up.
  5. Click Back Up.
  6. To password-protect the backup, check the Protect Native Key Provider data with password box.
    1. Enter a password and save it in a secure location.
    2. Check the I have saved the password in a secure place box, indicating that you have saved the password to a secure place.
  7. Click Back Up Key Provider.
    The backup file is in PKCS#12 format.
  8. Save the backup file in a secure location.

Results

The status of the vSphere Native Key Provider changes from Not Backed Up, to Warning, to Active. Warning indicates that the vCenter Server is still pushing the information to all the ESXi hosts in the data center. Active means that the information has been pushed to all the hosts.

What to do next

To add vTPMs to your ESXi hosts, see Securing Virtual Machines with Virtual Trusted Platform Module. To encrypt virtual machines, see Use Encryption in Your vSphere Environment.