Prerequisites and Required Privileges for vSphere Trust Authority

You must consider hardware and software requirements when configuring vSphere Trust Authority. You must set cryptographic privileges and roles to use encryption. The user who performs vSphere Trust Authority tasks must have the appropriate privileges.

Requirements for vSphere Trust Authority

To use vSphere Trust Authority, your vSphere environment must meet these requirements:

ESXi Trusted Host hardware requirements:
- TPM 2.0
- Secure boot must be enabled
- EFI firmware

Component requirements:
- vCenter Server 7.0 or later
- A dedicated vCenter Server system for the vSphere Trust Authority Cluster and ESXi hosts
- A separate vCenter Server system for the Trusted Cluster and ESXi Trusted Hosts
- A key server (called a Key Management Server, or KMS, in prior vSphere releases)
Virtual machine requirements:
- EFI firmware
- Secure Boot Enabled

Note: Before you can begin configuring vSphere Trust Authority, ensure that you have set up your vCenter Server systems for the Trust Authority Cluster and Trusted Cluster, and added ESXi hosts to each cluster.

vSphere Trust Authority and Cryptography Privileges

vSphere Trust Authority does not introduce any new cryptography privileges. The same cryptography privileges described in Using Cryptography Privileges and Roles apply to vSphere Trust Authority.

vSphere Trust Authority and Host Encryption Mode

vSphere Trust Authority does not introduce any new requirements for enabling host encryption mode on the ESXi Trusted Hosts. See Prerequisites and Required Privileges for Virtual Machine Encryption Tasks for more information about host encryption mode.

Using the vSphere Trust Authority Roles and the TrustedAdmins Group

vSphere Trust Authority operations require a user that is a member of the TrustedAdmins group. This user is called the Trust Authority administrator. vSphere administrators must either add themselves to the TrustedAdmins group or add other users to the group to gain the Trusted Infrastructure administrator role. The Trusted Infrastructure administrator role is necessary for vCenter Server authorization. The TrustedAdmins group is necessary for authentication on the ESXi hosts that are part of the Trusted Infrastructure. Users with the Cryptographic Operations.Register host privilege on ESXi hosts can manage the Trusted Cluster. The vCenter Server permissions are not propagated to the Trust Authority hosts, only to the Trusted Hosts. Only members of the TrustedAdmins group are granted privileges on the Trust Authority hosts. Group membership is verified on the ESXi host itself.

Note: vSphere administrators and members of the Administrators group are assigned the Trusted Infrastructure administrator role, but this role by itself does not permit a user to perform vSphere Trust Authority operations. Membership in the TrustedAdmins group is also required.

After vSphere Trust Authority is enabled, Trust Authority administrators can assign trusted key providers to Trusted Hosts. Those Trusted Hosts can then use the trusted key providers to perform cryptographic tasks.

In addition to the Trusted Infrastructure administrator role, vSphere Trust Authority provides the No Trusted Infrastructure administrator role, which contains all privileges in vCenter Server except the ones that call the vSphere Trust Authority APIs.

vSphere Trust Authority groups, roles, and users function as follows:

On first boot, vSphere grants the TrustedAdmins group the Trusted Infrastructure administrator role, which has global permissions.
The Trusted Infrastructure administrator role is a system role that has the required privileges to call the vSphere Trust Authority APIs (TrustedAdmin.*), and the system privileges System.Read, System.View, and System.Anonymous to view inventory objects.
The No Trusted Infrastructure administrator role is a system role that contains all privileges in vCenter Server except the ones to call the vSphere Trust Authority APIs. Adding new privileges to vCenter Server also adds them to the No Trusted Infrastructure administrator role. (The No Trusted Infrastructure administrator role is similar to the No cryptography administrator role.)
The vSphere Trust Authority privileges (TrustedAdmin.* APIs) are not included in the No cryptography administrator role, preventing users with this role from setting up a Trusted Infrastructure or performing cryptographic operations.

The use cases for these users, groups, and roles, are shown in the following table.

Table 1. vSphere Trust Authority Users, Groups, and Roles
User, Group, or Role	Can Call vSphere Trust Authority vCenter Server API (Includes Calls to vSphere Trust Authority ESXi API)	Can Call vSphere Trust Authority vCenter Server API (Does Not Include Calls to vSphere Trust Authority ESXi API)	Can Perform Host Operations in Cluster Not Related to vSphere Trust Authority	Comment
User in both Administrators@`system.domain` group and TrustedAdmins@`system.domain` group	Yes	Yes	Yes	NA
User in TrustedAdmins@`system.domain` group only	Yes	Yes	No	Such a user cannot perform regular cluster management operations.
User in Administrators@`system.domain` group only	Yes	No	Yes	NA
User with Trusted Infrastructure administrator role but not in TrustedAdmins@`system.domain` group	Yes	No	No	The ESXi host checks the group membership of the user to grant permissions.
User with No Trusted Infrastructure administrator role only	No	No	Yes	Such a user is similar to an administrator who cannot perform vSphere Trust Authority operations.