A high-level overview of the capabilities of the vSphere key providers requires your attention to help plan your encryption strategy.

In general, there is little difference in feature or product support between key provider daily operation. Though key providers look and behave similarly, you might have requirements and regulations to consider when choosing a key provider, as shown in the following table.

Table 1. Key Provider Considerations
Key Provider External Key Server Required? Quick Setup? Works Only with vSphere?
Standard key provider Yes No No
Trusted key provider Yes No No
vSphere Native Key Provider No Yes Yes

Encryption Features

The following encryption features are supported by each key provider type.

  • Rekey using the same key provider or to another key provider
  • Rotate keys
  • Virtual Trusted Platform Module (vTPM)
  • Disk encryption
  • vSphere Virtual Machine Encryption
  • Co-existence with other key providers
  • Upgrade to a different key provider

vSphere Features

The following describes key provider support for some important vSphere features.

  • Encrypted vSphere vMotion: Supported by all key provider types. The same key provider must be available on the destination host. See Encrypted vSphere vMotion.
  • vCenter Server File-based Backup and Restore: Standard key provider and vSphere Native Key Provider support vCenter Server file-based backup and restore. Because most vSphere Trust Authority configuration information is stored on the ESXi hosts, the vCenter Server file-based backup mechanism does not back up this information. To ensure the configuration information for your vSphere Trust Authority deployment is saved, see Backing Up the vSphere Trust Authority Configuration.

VMware Products

The following table compares key provider support for some VMware products.

Table 2. Comparison of Support for VMware Products
Key Provider vSAN Site Recovery Manager vSphere Replication
Standard key provider Yes Yes Yes
Trusted key provider Yes Yes

If the same vSphere Trust Authority services configuration is available on the recovery side, then SRM with array-based replication is supported.

vSphere Native Key Provider Yes Yes Yes

Required Hardware

The following table compares some minimum key provider hardware requirements.

Table 3. Comparison of Required Hardware
Key Provider TPM on ESXi Host
Standard key provider Not required
Trusted key provider Required on Trusted Hosts (hosts in the Trusted Cluster).

Note: Currently, the ESXi hosts in the Trust Authority Cluster do not require a TPM. However, as a matter of best practice, consider installing new ESXi hosts with TPMs.
vSphere Native Key Provider Not required

vSphere Native Key Provider availability can optionally be restricted to hosts with a TPM.

Key Provider Naming

vSphere uses a key provider name to look up a key identifier. If two key providers have the same name, vSphere assumes that they are equivalent and have access to the same keys. Each logical key provider, regardless of its type (Standard, Trusted, and Native Key Provider), must have a unique name across all vCenter Server systems.

In a few instances, you configure the same key provider across multiple vCenter Server systems, such as:

  • Migrating encrypted virtual machines between vCenter Server systems
  • Setting up a vCenter Server as a disaster recovery site