A key provider is required for performing encryption tasks. You can use the vSphere Client to configure a vSphere Native Key Provider on vCenter Server.

vSphere 7.0 Update 2 and later includes a key provider called vSphere Native Key Provider. vSphere Native Key Provider enables encryption-related functionality without requiring an external key server (KMS). Initially, vCenter Server is not configured with a vSphere Native Key Provider. You must manually configure a vSphere Native Key Provider.

An ESXi host does not require a TPM 2.0 to use a vSphere Native Key Provider. However, a TPM 2.0 does provide enhanced security.

Note: When you configure vSphere Native Key Provider, the key providers are available on all clusters for the vCenter Server on which you configure them. As a result, all hosts attached to the vCenter Server have access to all the vSphere Native Key Providers that you configure.


Required privilege: Cryptographic operations.Manage key servers


  1. Log in to the vCenter Server system with the vSphere Client.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure, and under Security click Key Providers.
  4. Click Add then click Add Native Key Provider.
  5. Enter a name for the vSphere Native Key Provider.

    Each logical key provider, regardless of its type (Standard, Trusted, and Native Key Provider), must have a unique name across all vCenter Server systems.

    For more information, see Key Provider Naming.

  6. If you want this vSphere Native Key Provider to be used only by hosts with a TPM 2.0, select the Use key provider only with TPM protected ESXi hosts check box.
    If enabled, the vSphere Native Key Provider is available only on hosts with a TPM 2.0.
  7. Click Add Key Provider.
    Note: It takes about five minutes for all the clustered ESXi hosts in a data center to get the key provider, and for the vCenter Server to update its cache. Because of the way the information is propagated, you might have to wait for a few minutes to use the key provider for key operations on some of the hosts.


The vSphere Native Key Provider is added and appears in the Key Provider pane. At this point, the vSphere Native Key Provider is not backed up. You must back up the vSphere Native Key Provider before you can use it.

What to do next

See Back up a vSphere Native Key Provider.