Enabling VM encryption with an external KMS
480 Ansichten
21.10.2024 
Cloud / VMware
Objective
Find out how to implement encryption for your virtual machines with an external KMS.
Requirements
- You need to have signed up to a Hosted Private Cloud offer.
- An external key server (KMS) compatible with KMIP 1.1 and in the VMware compatibility matrix.
- Access to the vSphere management interface.
- Virtual machines with a Hardware 13 version (minimum).
Instructions
The purpose of this guide is to explain the details of implementing virtual machine encryption on the VMware on OVHcloud Hosted Private Cloud solution, using a storage strategy that uses a Standard Key Provider or external KMS.
Retrieve Key Server Certificate Thumbprint (KMS)
Depending on your KMS, you can connect to the server using your browser. Then click View Certificate and Thumbprint.
Extract the value from the SHA1 Fingerprint line.
Here is another method with OpenSSL:
Here, it is the value to the right of the equal sign:
Register your key server (KMS)
Via the OVHcloud Control Panel
Log in to the OVHcloud Control Panel and go to the Hosted Private Cloud section.
Click VMware in the services bar on the left-hand side, then select the VMware service concerned.
From the main page of the service, click Security.
Further down the page is the "Virtual Machine Encryption Key Management Servers" section. Click the Add a new KMS server button.
In the new window that opens, enter the following information:
- The KMS IP address.
- The SSLThumbprint of the KMS Server you previously retrieved.
Confirm that you read this documentation, then confirm by clicking Next.
A window displays the progress of the task.
With the OVHcloud API
Encryption features can be enabled using the OVHcloud API.
To retrieve your "serviceName", use the following API call:
To verify that encryption is not enabled yet, use this API call:
Then register the KMS:
To make this change, you need the following information:
- The serviceName previously retrieved.
- The external KMS IP address.
- The TLS fingerprint of the external KMS previously retrieved.
Adding your key server (KMS) to the vCenter
About this part
The vCenter Server creates a KMS cluster when you add your first KMS instance.
- When you add the KMS, you are prompted to set this cluster as default. You can change this later.
- Once the vCenter has created the first cluster, you can add new KMS instances from the same provider to it.
- You can configure the cluster with at a minimum of one KMS instance.
- If your environment supports KMS solutions from different providers, you can add multiple KMS clusters.
- If your environment includes multiple KMS clusters and you remove the default cluster, you must define a different one. See "Setting the Default KMS Cluster".
Procedure
Initiate the manipulation by connecting to your Hosted Private Cloud with the vSphere web client.
Then browse your inventory list and select the vCenter concerned. Go to "Manage", then "Key Management Servers".
Click Add > Add Standard Key Provider.
Then specify the KMS information in the configuration wizard that appears:
Validate the certificate by clicking Trust KMS.
Importing KMS certificate
Most KMS providers require a certificate to establish a secure connection with the vCenter.
From the vCenter on which you added the KMS server, select it. In "All options", click Establish a trusted link with KMS.
Ensure that the certificate is not encrypted with a password when you download it from the KMS. For example, if you create a user, create one without a password and download the certificate for the KMS user.
Check that the KMS is configured
Verify that the "Connection Status" corresponding to the KMS is in "Normal" mode.
Modify the storage policy of "VM Encryption Storage"
Create a virtual machine. Once you have created it, right-click it. Click VM Policies then Edit VM Storage Policies.
Select the virtual machine files and other hard drives that need to be encrypted.
Ensure that the tasks were completed without errors.
If the KMS is not configured correctly and there are faults with the key exchange between vCenter and KMS, there will be a "RuntimeFault" error in the task with a "Cannot generate key" error message.
Encrypted vMotion
For vMotion, encryption works at the virtual machine level. For synchronization, 256-bit encryption keys are used.
vMotion traffic encryption works at the VM kernel level with the widely used AES-GCM (Advanced Encryption Standard-Galois Counter Mode) algorithm.
Then modify your virtual machine and click VM Options
You must select the options if your vMotion needs to be encrypted. There are three policies for encrypted vMotion:
| Status | Description |
|---|---|
| Disabled | - Off |
| Opportunities | - Encryption only if supported by the source host and ESXi target host. Otherwise, vMotion will not be encrypted |
| Required | - Encryption will be used |
Moving machines between hosts is done by exchanging unique keys, which are generated and served by the vCenter server, rather than by KMS.
Configuration checks
Check that a small padlock is visible, and that the disk is correctly encrypted in your VM information.
Check your VM settings to ensure that your storage policy is the one that uses VM encryption Policy.
Finally, you can look at the tasks and events to get the final confirmation that the configuration worked.
Go further
If you are having problems configuring your external KMS, please contact our support teams or consider using an OVHcloud KMS (OKMS).
You can read the following guide, which details the procedure to follow: KMS for VMware on OVHcloud - Solution and use cases for encrypting VMs.
Join our community of users.
vNKP - Enabling virtual machine encryption (EN)
569