In this blog post in the VMware for Beginners series, we finish the entire series for vSphere Distributed Switches, now is time to focus on security and encryption in our vSphere environment.
What will we discuss in this blog post series for security and encryption?
- What is vSphere Key Provider?
- What is vSphere Trust Authority?
- Virtual Trusted Platform Module(vTPM)?
- How to implement Storage Policy Based Management?
We will start this series with the blog post What is vSphere Key Provider?
What is vSphere Key Provider?
After vSphere 7.0 Update 2, you can implement encryption technologies like virtual TPMs (vTPM) by using the built-in vSphere Native Key Provider.
All versions of vSphere come with the vSphere Native Key Provider, which doesn’t need an external key server (also called a Key Management Server, or KMS) to work. For vSphere Virtual Machine Encryption, you can also use vSphere Native Key Provider but only supported in VMware vSphere Enterprise Plus.
vSphere Native Key Provider is a cost-effective way to encrypt your VMs without using a KVM server or even vSphere Trust Authority.
You must set up an external key server with a standard or a trusted key provider. In a typical key provider setting, vCenter Server gets the keys from the external key server and sends them to the ESXi hosts. In a trusted key source (vSphere Trust Authority) setup, the keys are directly fetched by the trusted ESXi hosts.
You no longer need an external key server with vSphere Native Key Provider. Key Derivation Key (KDK) is the primary Key that vCenter Server makes and sends to all ESXi guests in the cluster. The ESXi hosts then create data encryption keys (even when not connected to vCenter Server) to allow security features like vTPMs. All versions of vSphere can use vTPM. You must have a vSphere Enterprise Plus license to use the feature vSphere Native Key Provider for vSphere Virtual Machine Encryption. vSphere Native Key Provider can work with a key server system already in place.
vSphere Key Provider can be used in the following scenarios:
- Allows you to use vTPMs, vSphere Virtual Machine Encryption, and vSAN Data at Rest Encryption when you don’t need or want an external key server
- Only works with items from VMware’s server line
- Does not offer external interoperability, KMIP support, hardware security modules, or other features that a standard third-party external key server can give for interoperability or regulatory compliance. Install a traditional third-party key server if your company needs this feature for goods and parts that VMware doesn’t make
- Helps meet the needs of companies that either can’t use an external key server or don’t want to
- Improves data cleaning and system usage by letting encryption technologies be used earlier on media that is hard to clean, like flash and SSD
- Offers a way to move from one key provider to another. The VMware standard key provider and the vSphere Trust Authority, a trusted key provider, can be used with the vSphere Native Key Provider
- Uses either Enhanced Linked Mode or vCenter Server High Availability to work with various vCenter Server servers
- It can be used to turn on vTPM in all versions of vSphere and secure virtual machines if you buy the vSphere Enterprise Plus Edition, which includes vSphere Virtual Machine Encryption. vSphere Virtual Machine Encryption works with vSphere Native Key Provider just as with VMware standards and trusted key providers
- With the proper vSAN license, this can be used to turn on vSAN Data at Rest Encryption
- When put in an ESXi host, a Trusted Platform Module (TPM) 2.0 can be used to improve security. You can also set up vSphere Native Key Provider to only be usable on machines with a TPM 2.0. You must use TPM 2.0 if you use a TPM. TPM 1.2 does not work with vSphere Native Key Provider
Note:
- An ESXi host does not require a TPM 2.0 to use a vSphere Native Key Provider. However, a TPM 2.0 does provide enhanced security
- vSphere Native Key Provider does not support the First Class Disk (FCD) encryption
vSphere Key Provider is frequently confused with vSphere Trust Authority. They are distinct and operate in separate ways.
vSphere Key Providers and vSphere Trust Authority are both vSphere features that can encrypt data. However, they have different strengths and weaknesses.
vSphere Key Providers
- Pros:
- Easy to configure and manage
- Secure
- Scalable
- Cost-effective
- Cons:
- Not as widely supported as vSphere Trust Authority
- Does not support all encryption features
vSphere Trust Authority
- Pros:
- Widely supported
- Supports all encryption features
- More secure than vSphere Key Providers
- Cons:
- More complex to configure and manage
- More expensive
Which one should you choose?
The best choice for you will depend on your specific needs and requirements. If you want a secure and easy way to encrypt data, then vSphere Key Providers is a good option. However, if you need to support all encryption features or if you need to comply with specific regulations, then vSphere Trust Authority is a better choice.
Here is a table that summarizes the key differences between vSphere Key Providers and vSphere Trust Authority:
Now that we are aware of what the vSphere Key Provider is let’s set it up in our vCenter.
How to configure and enable vSphere Key Provider?
Select your vCenter, and in the Configure tab, go to the Security section, select Key Providers, and click Add to add a vSphere Key Provider to your vCenter.
There are different ways to manage these encryption keys.
- Native Key Provider: The vCenter Server native key provider is added to the VM storage policy using this option. The encryption keys are kept on the ESXi host by the native key provider for vCenter Server, a local security key provider. The most often chosen choice is this one
- Standard Key Provider: With this option, the VM storage policy will now include a third-party security key provider. Compared to the native key provider for vCenter Server, third-party security key providers can provide greater functionality and security. However, it is more difficult to setup
Here is a quick overview of both options:
vSphere Native Key Provider (NKP)
- Pros:
- Easy to configure and manage
- Secure
- Scalable
- Cost-effective
- It does not require an external key management server (KMS)
- Cons:
- It does not support all encryption features
- Not as widely supported as SKP
vSphere Standard Key Provider (SKP)
- Pros:
- Supports all encryption features
- Widely supported
- More secure than NKP
- Cons:
- More complex to configure and manage
- More expensive
- Requires an external KMS
Which one should you choose?
The best choice between Native Key Provider and Standard Key Provider depends on the specific needs and scale of the organization. For smaller deployments or environments where simplicity is key, the Native Key Provider might be the best choice. On the other hand, large enterprises with complex needs, or those that need to meet specific compliance requirements, might be better served by an external KMS solution.
For our vSphere test environment, we will select the simple and non costly option, Native Key Provider.
Important Note: Attention to the option “Use key provider with TPM protected ESXi hosts”. For our VMware Series blog posts, we are working in a vSphere Nested Environment, and this option is not supported. Since TMP needs ESXi hosts with a TPM 2.0, which can only be achieved with physical ESXi hosts, not nested, disable this option if you are using a nested environment.
We now created our Key Provider, but to be active, we need to backup the Key to create and protect a Key Provider file.
Next, click BACK-UP option to backup your Key Provider.
Note: You should protect your Key Provider with a password and save both(file and password) in a secure place.
After you click BACK UP Key Provider to finish, it will download the file to your local computer. Again, save that file in a secure place.
We now have our vSphere Key Provider created.
How to delete vSphere Key Provider?
Before deleting a vSphere Key Provider be aware of the impact of this action if you already have any vTPMS or Virtual Machines encrypted.
Virtual machines with vTPMs or are encrypted continue to function after uninstalling a vSphere Native Key Provider. The encrypted virtual machines on the ESXi host go into a locked state if you restart it. When you attempt to re-register these virtual machines after unregistering them, they go into a locked state. The old vSphere Native Key Provider must be restored to unlock the virtual machines.
Prerequisites
Rekey all encrypted virtual machines and datastores that were encrypted with that key provider to a different key provider before deleting a vSphere Native Key Provider.
If you delete a vSphere Key Provider, always keep a backup of the vSphere Native Key Provider as well, in case you need to rekey an encrypted virtual machine after removing the key provider.
To delete a vSphere Key Provider, click on the DELETE button, then slide to the right the icon to delete.
How to restore a vSphere Key Provider?
If you lost or need to rebuild your vCenter, you can recover a vSphere Native Key.
- If you do not need to rebuild your vCenter Server Appliance, use the vSphere Client to restore the key provider
- If you must rebuild your vCenter Server Appliance, you must restore the key provider from your vCenter Server Appliance Backup
We will only restore the Key Provider in our vCenter for this case.
Note: For any restore option, to restore a vSphere Key Provider, you will need the Key Provider file and the password.
Click the RESTORE button, browse, and add your Key Provider file and password(created and saved in a secure place when you initially created the vSphere Key Provider).
If you want to use TPM to protect the ESXi hosts, you need to enable the option again. Next, click Finish.
Now set as default, and your vSphere Key Provider is restored and active.
With the restoration of vSphere Key Provider, we finish this part of What is vSphere Key Provider, and in the next blog post, we will talk about vSphere Trust Authority.
Read More:
VMware for Beginners: A Step-by-Step Guide to Learn VMware and Boost Your Career
VMware for Beginners – What is vSphere Distributed Switch: Part 15(d)
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
