You can configure trusted key providers by using the command line. You can configure the default trusted key provider for the vCenter Server, or at the cluster or the folder level in the vCenter object hierarchy.

Prerequisites

On the Trusted Cluster, you must have a role that includes the Cryptographic operations.Manage KMS privilege.

Procedure

  1. Ensure that you are connected as an administrator to the vCenter Server of the Trusted Cluster.
    For example, you can enter $global:defaultviservers to show all the connected servers.
  2. (Optional) If necessary, you can run the following commands to ensure that you are connected to the vCenter Server of the Trusted Cluster.
    Disconnect-VIServer -server * -Confirm:$false
    Connect-VIServer -server TrustedCluster_VC_ip_address -User admin_user -Password 'password'
  3. Obtain the trusted key provider.
    Get-KeyProvider

    You can use the -Name keyprovider option to specify a single trusted key provider.

  4. Assign the Get-KeyProvider trusted key provider information to a variable.
    For example, this command assigns the information to the variable $workload_kp.
    $workload_kp = Get-KeyProvider

    If you have multiple trusted key providers, you can use Select-Object to select one of them.

    $workload_kp = Get-KeyProvider | Select-Object -Index 0
  5. Register the trusted key provider.
    Register-KeyProvider -KeyProvider $workload_kp

    To register additional trusted key providers, repeat Step 4 and Step 5.

    Note: It takes a while for all the hosts to be able to get the key provider, and for the vCenter Server to update its cache. Because of the way the information is propagated, you might have to wait for a few minutes to use the key provider for key operations on some of the hosts.
  6. Set the default trusted key provider to use.
    1. To set the default key provider at the vCenter Server level, run the following command.
      Set-KeyProvider -KeyProvider $workload_kp -DefaultForSystem
    2. To set the key provider at the cluster level, run the following command.
      For example, this command sets the key provider for the cluster Trusted Cluster.
      Add-EntityDefaultKeyProvider -KeyProvider $workload_kp -Entity 'Trusted Cluster'
    3. To set the key provider at the folder level, run the following command.
      For example, this command sets the key provider for the folder TC Folder, which was created on the workLoad data center.
      Add-EntityDefaultKeyProvider -KeyProvider $workload_kp -Entity 'TC Folder'

What to do next

Encrypting a virtual machine with a trusted key provider looks the same as the virtual machine encryption user experience that was first delivered in vSphere 6.5. See Use Encryption in Your vSphere Environment.