You can configure trusted key providers by using the command line. You can configure the default trusted key provider for the vCenter Server, or at the cluster or folder level in the vCenter object hierarchy.

Procedure

  1. Ensure that you are connected as an administrator to the vCenter Server of the Trusted Cluster.
    For example, you can enter $global:defaultviservers to show all the connected servers.
  2. (Optional) If necessary, you can run the following commands to ensure that you are connected to the vCenter Server of the Trusted Cluster.
    Disconnect-VIServer -server * -Confirm:$false
    Connect-VIServer -server TrustedCluster_VC_ip_address -User admin_user -Password 'password'
  3. Obtain the trusted key provider.
    Get-KeyProvider

    You can use the -Name keyprovider option to specify a single trusted key provider.

  4. Assign the Get-KeyProvider trusted key provider information to a variable.
    For example, this command assigns the information to the variable $workload_kp.
    $workload_kp = Get-KeyProvider

    If you have multiple trusted key providers, you can use Select-Object to select one of them.

    $workload_kp = Get-KeyProvider | Select-Object -Index 0
  5. Register the trusted key provider.
    Register-KeyProvider -KeyProvider $workload_kp

    To register additional trusted key providers, repeat Step 4 and Step 5.

  6. Set the default trusted key provider to use.
    1. To set the default key provider at the vCenter Server level, run the following command.
      Set-KeyProvider -KeyProvider $workload_kp -DefaultForSystem
    2. To set the key provider at the cluster level, run the following command.
      For example, this command sets the key provider for the cluster Trusted Cluster.
      Add-EntityDefaultKeyProvider -KeyProvider $workload_kp -Entity 'Trusted Cluster'
    3. To set the key provider at the folder level, run the following command.
      For example, this command sets the key provider for the folder TC Folder, which was created on the workLoad data center.
      Add-EntityDefaultKeyProvider -KeyProvider $workload_kp -Entity 'TC Folder'

What to do next

Encrypting a virtual machine with a trusted key provider looks the same as the virtual machine encryption user experience that was first delivered in vSphere 6.5. See Use Encryption in Your vSphere Environment.