You can add a standard key provider to your vCenter Server system from the vSphere Client or by using the public API.
The vSphere Client enables you to add a standard key provider to your vCenter Server system, and establish trust between the key server and vCenter Server.
- You can add multiple key servers from the same vendor.
- If your environment supports solutions from different vendors, you can add multiple key providers.
- If your environment includes multiple key providers, and you delete the default key provider, you must set another default explicitly.
- You can configure the key server with IPv6 addresses.
- Both the vCenter Server system and the key server can be configured with only IPv6 addresses.
Prerequisites
- Verify that the key server (KMS) is in the VMware Compatibility Guide for Key Management Servers (KMS) and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server.
- Verify that you have the required privileges: .
- Ensure that the key server is highly available. Loss of connection to the key server, such as during a power outage or a disaster recovery event, renders encrypted virtual machines inaccessible.
Note: In vSphere 7.0 Update 2 and later, encrypted virtual machines and virtual TPMs can continue to function even when the key server is temporarily offline or unavailable. See vSphere Key Persistence on ESXi Hosts.
- Consider your infrastructure's dependencies on the key server carefully. Some KMS solutions are delivered as virtual appliances, making it possible to create a dependency loop or other availability problem with poor placement of the KMS appliance.