Deploying and configuring vSAN Encryption with HyTrust server in vSAN (Part-1)

HyTrust DataControl® provides encryption and key management for virtual and physical machines located in data centers or private, public, or hybrid clouds. DataControl consists of two main components:

HyTrust KeyControl (KeyControl) — KeyControl stores encryption keys, policies, and configuration for any number of virtual machines with the HyTrust DataControl Policy Agent installed.

HyTrust DataControl Policy Agent (Policy Agent) — A software module that runs inside Windows and most Linux operating systems that provides encryption of virtual disks, file systems, and individual files.

HyTrust KeyControl supports a fully functional KMIP (Key Management Interoperability Protocol) server that can serve as a vSphere KMS (Key Management Server).

Once a trusted connection between KeyControl and vSphere has been established, KeyControl can manage the encryption keys for virtual machines in the cluster that have been encrypted with vCenter Server for vSphere Virtual Machine Encryption or VMware VSAN Encryption

To set up KeyControl as a KMS for vSphere:

  • KeyControl can be installed as linux appliance or as windows software
  • Make sure you deploy KMS node on non-encrypted storage (not on vSAN)
  • Verify that the systems you want to use meet the basic system requirements
  • Configure the first KeyControl node
  • Initialize KeyControl through the KeyControl webGUI for the first node
  • If desired, install additional KeyControl nodes and join them to the cluster. The number of nodes you can install is dictated by your KeyControl license

Configuring a KMIP Server:

Once you have your KeyControl cluster configured, you need to enable the included KMIP server. This server becomes the vSphere KMS (Key Management Server) when you establish a trusted connection between vSphere and KeyControl.

Creating a Certificate Bundle for VMware Encryption:

To establish a trusted connection between the HyTrust KMIP server and vSphere, you need to provide vSphere with a user certificate and a private key generated by the KMIP server.

Note:  Do not enter a password for the certificates. Due to a vSphere limitation, you cannot upload encrypted certificates.

Deployment of OVA:

Download KeyControl appliance from HyTrust website and extract the ova files. In my lab I am using RP HyTrust KMS on to deploy KMS ( KeyControl appliance)

Right click ⇒ Deploy ovf template ⇒ Browse and select ova appliance

Select name & location for KMS servers. I have already deployed primary KMS server ( kmsp) and now deploying secondary KMS (kmss)

Click next and review appliance details

Three deployment methods are given: Recommended, Large and Demo. I have chosen Recommended and click on next

Select the virtual disk format as thin and choose the datastore to place the appliance

Select VM network port group for connectivity and click on next

Now, we have customization template page where we need to provide system details. Make sure host record has been registered with DNS and use hostname & domain name. Put all the required IP details and finish the appliance deployment wizard

Appliance is getting deployed and post deployment open the web console of appliance for further configuration

Post appliance setup set the password for key control system and hit OK. Next option will give you liberty to host new system or add it into existing KMS cluster system. I already have existing setup and thus adding this as secondary

Enter the IP address or hostname of the existing KMS Server and hit on OK

Set 16-character passphrase to authenticate this appliance with existing setup

Authentication has started with existing setup, simultaneously open the primary KMS WebUI and add this passphrase

Go to cluster and you see join pending for secondary KMS. Click on actions and hit authenticate, it will ask for passphrase. Put the same passphrase and click on authenticate

Authentication is in process in the appliance console and object store is getting synchronized with secondary KMS

Now, we can see that secondary KMS is fully installed and managed by webGUI

Login to secondary node IP and click on cluster. It will show us which we have logged into current node which in this case is

Now, both the appliances have been deployed and we are ready to use HyTrust servers as KMS servers.

If you like this blog post, please feel free to share with your friends on social media.

Thanks for reading!!