You can add a standard key provider to your vCenter Server system from the vSphere Client or by using the public API.

The vSphere Client enables you to add a standard key provider to your vCenter Server system, and establish trust between the key server and vCenter Server.

  • You can add multiple key servers from the same vendor.
  • If your environment supports solutions from different vendors, you can add multiple key providers.
  • If your environment includes multiple key providers, and you delete the default key provider, you must set another default explicitly.
  • You can configure the key server with IPv6 addresses.
    • Both the vCenter Server system and the key server can be configured with only IPv6 addresses.

Prerequisites

  • Verify that the key server (KMS) is in the VMware Compatibility Guide for Key Management Servers (KMS) and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server.
  • Verify that you have the required privileges: Cryptographic operations.Manage key servers.
  • Ensure that the key server is highly available. Loss of connection to the key server, such as during a power outage or a disaster recovery event, renders encrypted virtual machines inaccessible.
    Note: In vSphere 7.0 Update 2 and later, encrypted virtual machines and virtual TPMs can continue to function even when the key server is temporarily offline or unavailable. See vSphere Key Persistence on ESXi Hosts.
  • Consider your infrastructure's dependencies on the key server carefully. Some KMS solutions are delivered as virtual appliances, making it possible to create a dependency loop or other availability problem with poor placement of the KMS appliance.

Procedure

  1. Log in to the vCenter Server system with the vSphere Client.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure, and under Security click Key Providers.
  4. Click Add Standard Key Provider and enter the key provider information.
    Option Value
    Name Name for the key provider.

    Each logical key provider, regardless of its type (Standard, Trusted, and Native Key Provider), must have a unique name across all vCenter Server systems.

    For more information, see Key Provider Naming.

    KMS Alias for the key server (KMS).
    Address IP address or FQDN of the key server.
    Port Port on which vCenter Server connects to the key server.
    Proxy server Optional proxy server address for connecting to the key server.
    Proxy port Optional proxy port for connecting to the key server.
    Username Some key server vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a user name only if your key server supports this functionality, and if you intend to use it.
    Password Some key server vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password. Specify a password only if your key server supports this functionality, and if you intend to use it.
    You can click Add KMS to add more key servers.
  5. Click Add Key Provider.
  6. Click Trust.
    vCenter Server adds the key provider and displays the status as Connected.

What to do next

See Establish a Standard Key Provider Trusted Connection by Exchanging Certificates.