VMware vSphere Virtual Machine Encryption

KB ID 0001470


Other that learn this for an exam I’ve never had to deploy this in anger. So when I heard we had a customer at work who wanted to take a look at it I was quite keen to take a look.

To encrypt a VM you need to have an additional KMS (Key Management server) which VMware do not provide. They do provide a list, so theres no point me posting a list that will be out of date in a couple of weeks. Our client expressed a preference for HyTrust, so that’s what I ran with

WARNINIG: You need vCenter 6.5 or above to do VM encryption

Deploy HyTrust KMS Server

At time of writing the current version is 4.2.1 you can get a 60 trial if you want to give it a test.

Download HyTrust KMS

Pull down the appliance and deploy the OVF into your environment;

VMware vSphere – How to Import and Export OVF and OVA Files

VMware Deploy KMS Server

Go get a coffee, when deployed, connect to the console set a console password, and follow the instructions until it tells you to connect via a browser.

KMIP Password

Connect via a browser (default username and password is secroot), Change the password when prompted, and proceed to KMIP. By default the service is disabled so enable it. (Take note of the port number, 5696 you will ned this later!)

Enable KMIP Server

Client Certificates > Action > Create Certificate > Give it a name, and leave the password section blank.

Create VC Certificate

Actions > Download certificate > Save the Zip file, if you open it you will find two PEM files, (you only actually need the one that has the same name as you used above).

Dowload VC Certificate

Over on your vCenter  > Select the vCenter > Configure > Key Management Servers > Add.

vSphere Add Key Management Server

Supply a name, the IP address of the appliance, and the port number > OK > Yes.

Add KMS Server to vCenter


vCenter Deploy KMS for Encryption

Select the KMS > Establish trust with KMS.

vCenter Trust KMS for Encryption

Upload a certificate and private key > OK.

vCenter Upload KMS Certificate

Paste in the SAME PEM FILE into both top and bottom windows. (The one with the name you chose, and downloaded earlier) > OK.

vCenter Upload PEM for KMS

If you have done everything right all the status lights should ‘go-green’

vMWare Full VM Encryption

You can now create a VM Storage Encryption Policy. (Well you can create one first, but without a KMS server, nothing will get encrypted).

Part Two: VMware: Creating a Storage Encryption Policy

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *