A high-level overview of the capabilities of the vSphere key providers requires your attention to help plan your encryption strategy.

In general, there is little difference in feature or product support between key provider daily operation. Though key providers look and behave similarly, you might have requirements and regulations to consider when choosing a key provider, as shown in the following table.

Table 1. Key Provider Considerations
Key Provider External Key Server Required? Quick Setup? Works Only with vSphere? Encryption Keys Stored Permanently on Host? Rekey While Cloning?
Standard key provider Yes No No No Yes
Trusted key provider Yes No No No Yes
vSphere Native Key Provider No Yes Yes Yes Yes
Note: At host startup, vSphere Native Key Provider always writes the encryption key to the ESXi hosts in the cluster. If you are concerned about the physical security of the cluster, consider using either a standard key provider or trusted key provider, both of which require that the key server be available for encrypted virtual machines to function.

Key Provider Encryption Features

The following encryption features are supported by each key provider type.

  • Rekey using the same key provider or to another key provider
  • Rotate keys
  • Virtual Trusted Platform Module (vTPM)
  • Disk encryption
  • vSphere Virtual Machine Encryption
  • Co-existence with other key providers
  • Upgrade to a different key provider

Key Provider Support for vSphere Features

The following describes key provider support for some important vSphere features.

  • Encrypted vSphere vMotion: Supported by all key provider types. The same key provider must be available on the destination host. See What Is Encrypted vSphere vMotion.
  • vCenter Server File-based Backup and Restore: Standard key provider and vSphere Native Key Provider support vCenter Server file-based backup and restore. Because most vSphere Trust Authority configuration information is stored on the ESXi hosts, the vCenter Server file-based backup mechanism does not back up this information. To ensure the configuration information for your vSphere Trust Authority deployment is saved, see Backing Up the vSphere Trust Authority Configuration.

Key Provider Support for VMware Products

The following table compares key provider support for some VMware products.

Table 2. Comparison of Support for VMware Products
Key Provider vSAN Data-At-Rest Encryption Site Recovery Manager vSphere Replication
Standard key provider Yes Yes Yes
Trusted key provider No Yes

If the same vSphere Trust Authority services configuration is available on the recovery side, then SRM with array-based replication is supported.

No
vSphere Native Key Provider Yes Yes Yes
Note:

Standard key provider, trusted key provider, and vSphere Native Key Provider support vSphere Virtual Machine Encryption on top of vSAN.

Required Hardware for Key Providers

The following table compares some minimum key provider hardware requirements.

Table 3. Comparison of Required Hardware for Key Providers
Key Provider TPM on ESXi Host
Standard key provider Not required
Trusted key provider Required on Trusted Hosts (hosts in the Trusted Cluster).

Note: Currently, the ESXi hosts in the Trust Authority Cluster do not require a TPM. However, as a matter of best practice, consider installing new ESXi hosts with TPMs.
vSphere Native Key Provider Not required

vSphere Native Key Provider availability can optionally be restricted to hosts with a TPM.

Key Provider Naming

vSphere uses a key provider name to look up a key identifier. If two key providers have the same name, vSphere assumes that they are equivalent and have access to the same keys. Each logical key provider, regardless of its type (Standard, Trusted, and Native Key Provider), must have a unique name across all vCenter Server systems.

In a few instances, you configure the same key provider across multiple vCenter Server systems, such as:

  • Migrating encrypted virtual machines between vCenter Server systems
  • Setting up a vCenter Server as a disaster recovery site