A high-level overview of the capabilities of the vSphere key providers requires your attention to help plan your encryption strategy.
In general, there is little difference in feature or product support between key provider daily operation. Though key providers look and behave similarly, you might have requirements and regulations to consider when choosing a key provider, as shown in the following table.
Key Provider | External Key Server Required? | Quick Setup? | Works Only with vSphere? | Encryption Keys Stored Permanently on Host? | Rekey While Cloning? |
---|---|---|---|---|---|
Standard key provider | Yes | No | No | No | Yes |
Trusted key provider | Yes | No | No | No | Yes |
vSphere Native Key Provider | No | Yes | Yes | Yes | Yes |
Key Provider Encryption Features
The following encryption features are supported by each key provider type.
- Rekey using the same key provider or to another key provider
- Rotate keys
- Virtual Trusted Platform Module (vTPM)
- Disk encryption
- vSphere Virtual Machine Encryption
- Co-existence with other key providers
- Upgrade to a different key provider
Key Provider Support for vSphere Features
The following describes key provider support for some important vSphere features.
- Encrypted vSphere vMotion: Supported by all key provider types. The same key provider must be available on the destination host. See What Is Encrypted vSphere vMotion.
- vCenter Server File-based Backup and Restore: Standard key provider and vSphere Native Key Provider support vCenter Server file-based backup and restore. Because most vSphere Trust Authority configuration information is stored on the ESXi hosts, the vCenter Server file-based backup mechanism does not back up this information. To ensure the configuration information for your vSphere Trust Authority deployment is saved, see Backing Up the vSphere Trust Authority Configuration.
Key Provider Support for VMware Products
The following table compares key provider support for some VMware products.
Key Provider | vSAN Data-At-Rest Encryption | Site Recovery Manager | vSphere Replication |
---|---|---|---|
Standard key provider | Yes | Yes | Yes |
Trusted key provider | No | Yes If the same vSphere Trust Authority services configuration is available on the recovery side, then SRM with array-based replication is supported. |
No |
vSphere Native Key Provider | Yes | Yes | Yes |
Standard key provider, trusted key provider, and vSphere Native Key Provider support vSphere Virtual Machine Encryption on top of vSAN.
Required Hardware for Key Providers
The following table compares some minimum key provider hardware requirements.
Key Provider | TPM on ESXi Host |
---|---|
Standard key provider | Not required |
Trusted key provider | Required on Trusted Hosts (hosts in the Trusted Cluster).
Note: Currently, the
ESXi hosts in the Trust Authority Cluster do not require a TPM. However, as a matter of best practice, consider installing new
ESXi hosts with TPMs.
|
vSphere Native Key Provider | Not required vSphere Native Key Provider availability can optionally be restricted to hosts with a TPM. |
Key Provider Naming
vSphere uses a key provider name to look up a key identifier. If two key providers have the same name, vSphere assumes that they are equivalent and have access to the same keys. Each logical key provider, regardless of its type (Standard, Trusted, and Native Key Provider), must have a unique name across all vCenter Server systems.
In a few instances, you configure the same key provider across multiple vCenter Server systems, such as:
- Migrating encrypted virtual machines between vCenter Server systems
- Setting up a vCenter Server as a disaster recovery site