You add a Key Management Server (KMS) to your vCenter Server system from the vSphere Client.

vCenter Server creates a standard key provider when you add the first KMS instance. If you configure the key provider on two or more vCenter Servers, make sure you use the same key provider name.

Note: Do not deploy your KMS servers on the vSAN cluster you plan to encrypt. If a failure occurs, hosts in the vSAN cluster must communicate with the KMS.
  • When you add the KMS, you are prompted to set this key provider as a default. You can later change the default setting.
  • After vCenter Server creates the first key provider, you can add KMS instances from the same vendor to the key provider, and configure all KMS instances to synchronize keys among them. Use the method documented by your KMS vendor.
  • You can set up the key provider with only one KMS instance.
  • If your environment supports KMS solutions from different vendors, you can add multiple key providers.


  • Verify that the Key Management Server is in the vSphere Compatibility Matrixes and is KMIP 1.1 compliant.
  • Verify that you have the required privileges: Cryptographer.ManageKeyServers
  • Connecting to a KMS by using only an IPv6 address is not supported.
  • Connecting to a KMS through a proxy server that requires user name or password is not supported.


  1. Log in to the vCenter Server.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure and under Security, click Key Providers.
  4. Click Add Standard Key Provider, enter key provider information, and click Add Key Provider.
    You can click Add KMS to add more Key Management Servers.
  5. Click Trust.
    vCenter Server adds the key provider and displays the status as Connected.