KMS for VMware on OVHcloud - Configuring VM encryption

.

Via the OVHcloud Control Panel

To access the OVHcloud KMS, log in to your OVHcloud Control Panel, then go to the Hosted Private Cloud section. In the left-hand column, click Identity, Security & Operation, then Key Management Service.

To order a new KMS server, click the Order a KMS button, then Select a region.

The encryption keys and access certificates for this KMS will be stored in the specified region. They can be used for any OVHcloud product, regardless of region.

Once you have made your choice, click on the Order button.

Finally, click Finish to finalize the order.

Once your order has been confirmed, your KMS will contain the Name, the ID and the Region.

Copy your OKMS "ID".

The ID looks like a typical UUID. It will then be useful to:

• List your OVHcloud resources.
• List all access information (credentialId).
• Generate the "credentialId" with your CSR (the credentialId being the ID of the proof of signature of your CSR, your request for new access credentials).
• List all keys OKMS.

You can view the table above.

Settings:

• okmsId: Your OVHcloud KMS ID (OKMS).

In step 3, we will look at how to carry out these requests.

Here is a global view of your KMS order for your OVHcloud VMware vSphere managed HPC environment.

You can copy and paste all the information needed to launch the API calls (IP, URN, KMIP etc...).

Via OVHcloud APIs

To list your OVHcloud KMS orders, use the following API call:

Settings:

• okmsId: Your OVHcloud KMS ID (Okms).

Return example:

[
  {
    "id": "Null",
    "region": "EU_WEST_RBX",
    "kmipEndpoint": "eu-west-rbx.okms.ovh.net:5696"
    "kmipRsaEndpoint": "eu-west-rbx.okms.ovh.net:5697",
    "restEndpoint": "https://eu-west-rbx.okms.ovh.net",
    "swaggerEndpoint": "https://swagger-eu-west-rbx.okms.ovh.net",
    "iam": {
      "displayName": "Null",
      "id": "Null",
      "urn": "urn:v1:eu:resource:okms:Null"
    }
  }
]

You now have an OVHcloud KMS server to set up within your managed VMware on OVHcloud environment.

To validate the OVHcloud KMS (OKMS) with Hosted Private Cloud VMware on OVHcloud, create an inbound flow opening rule (firewall) within your VMware vSphere on OVHcloud HPC gateway.

This step must be completed immediately after you have ordered your KMS (OVHcloud) and before the KMS has been added to the managed VMware vSphere web interface.

Via the OVHcloud Control Panel

Open feeds (required):

To create or import a KMS key management service, log in to your OVHcloud Control Panel, then go to the Hosted Private Cloud section. In the left-hand column, click on VMware, then select the service concerned. On the page that pops up, click on the Security tab.

Then go further down in the Virtual Machine Encryption Key Management Servers section.

You will need to add your KMS via the control panel immediately after you have purchased and delivered your OVHcloud KMS. This is to allow flows within OVHcloud firewalls to be authorized.

You can add your OKMS from the HPC control panel, by clicking Add a new KMS server

In the new window that pops up, fill out the following forms:

• IP: Please use the IP address, as the domain name cannot be added. For example, use the IP address 137.74.127.152 for the region of Strasbourg and the IP address 91.134.128.102 for the region of Roubaix.
• Description: Enter a description for your OKMS.
• SSL Thumbprint: Enter the SSL/TLS Thumbprint of your OKMS.

To retrieve the TLS fingerprint, launch the following OpenSSL command (adapt your OKMS endpoint to the right region (e.g. eu-west-rbx/sbg), which includes your OVHcloud KMS):

openssl s_client -connect eu-west-rbx.okms.ovh.net:5697 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
---
Return:
SHA1 Fingerprint=FE:21:E2:DE:B7:51:34:E9:9A:AB:E0:27:FF:1E:42:3A:15:9C:76:47

To retrieve the public IP of the OVHcloud KMS server, launch a ping. For example:

ping eu-west-rbx.okms.ovh.net

This is the IP of the Roubaix KMS and its TLS fingerprint. Adapt the command above to suit the region where your KMS is located (Strasbourg, for example).

Please check that the following confirmation is ticked before you continue : "I have read and understood the VM Encryption documentation and the actions I will need to carry out on my own".

Wait for the streams to open and change the status to green delivered.

At the same time, check your rights within IAM. To use KMS, you will need additional rights.

To do this, go to the Users tab of your HPC managed vSphere. In the table that opens, click on the ... button to the right of the user concerned, then on Modify.

Verify that the Encryption management is enabled.

If you are using a particular IAM role with a global policy within your HPC managed vSphere, enable encryption management for that role. If this is the role created when IAM was enabled (iam-admin), the role has default encryption management.

With your policy, ensure that the users, resources, actions and product types of your HPC VMware vSphere managed on OVHcloud have been added.

IAM policy example:

• Identity: local user XX -> OVHcloud local user.
• User groups: ADMIN, XXXX-XX-XX/user_iam.
• Resources: pcc-XXX-XXX-XXX-XXX (reference for your managed vSphere).
• Product type: iam_ressources_type_okms/kmip.
• Actions: vSphere Admin, pccVMware:apiovh:vmEncryption/kms/changeProperties, pccVMware:vSphere:assumeRole?iam-admin -> User vSphere iam-admin, okms:kmip:get, okms:apikms:serviceKey/create etc..

For your information, the domain ID corresponds to the URN of your OVHcloud KMS.

Via OVHcloud APIs (optional)

If you have already opened the streams from the control panel, you can use the following API call (optional).

Opening flows step:

Settings:

• serviceName: Enter the reference of your managed vSphere. Example: pcc-XX-XX-XX-XX.
• description: Enter the description of your OKMS.
• ip: Enter the public IP address of your OKMS.
• sslThumbprint: Enter the TLS fingerprint of your OKMS.

Copy and paste (with KMS settings):

{
"description": "Okms demo",
"ip": "91.134.128.102",
"sslThumbprint": "FE:21:E2:DE:B7:51:34:E9:9A:AB:E0:27:FF:1E:42:3A:15:9C:76:47"
}
 ```

To retrieve the KMS TLS fingerprint, run the following command **OpenSSL**, adapting the command to the region where your KMS is located:

```shell
openssl s_client -connect eu-west-rbx.okms.ovh.net:5697 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
---
Back:
SHA1 Fingerprint=FE:21:E2:DE:B7:51:34:E9:9A:AB:E0:27:FF:1E:42:3A:15:9C:76:47

To retrieve the public IP of the OVHcloud KMS, ping it by adapting the command to the region where your KMS is located:

ping eu-west-rbx.okms.ovh.net

To update your KMS with an OVHcloud KMS:

Settings:

• kmsId: Enter the ID of your OKMS server. (Example: 350)
• serviceName: Enter the name of your managed vSphere. Example: pcc-XX-XX-XX-XX.

Example:

 {
"description": "description test",
"sslThumbprint": "FE:21:E2:DE:B7:51:34:E9:9A:AB:E0:27:FF:1E:42:3A:15:9C:76:47"
}

Return:

After running the API, you should see the following result in response:

{
  "kmsId": XXX,
  "kmsTcpPort": 5697,
  "sslThumbprint": "Null",
  "description": "OKMS description",
  "state": "delivered",
  "ip": "Null"
}

Wait (status: updating) for the streams to open and for the status to change to the "delivered" state (optional).

To enable encryption within vSphere, you must have sufficient rights within your KMS resources and OVHcloud account.

If you do not already have an IAM policy created, we will create one to list the necessary steps.

You will need to log in to your OVHcloud control panel.

Go to Identity, Security & Operations section. Click Policies, then Create a policy.

Add the name of your policy, otherwise you will not be able to create it at the end.

And an intelligent description of your IAM strategy.

In Identities, add your local OVHcloud user (the one with which you generated the CSR from the API) by clicking Add a user.

You then need to add the actions in order to generate the keys for your vSphere encryption policy.

Click in the Product type field, then add Key Management System (KMS)

You can choose to add all actions or filter more finely according to your user needs.

Finally, click Create policy.

Your policy has been created. You can now enable encryption within PCC by changing the "VM strategy" of your virtual machines.

If you do not have a pre-established policy, explore the API control panel and determine the IAM actions required for the policy. If you already have an IAM policy, you can modify it and add the necessary actions.

After ordering your OKMS, open the flows within your OVHcloud managed vSphere. All you need to do now is configure the import within vSphere and install the trust relationship between vCenter and OKMS.

openssl s_client -connect eu-west-rbx.okms.ovh.net:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

awk '{printf "%s\\n", $0}' csr.pem

{
"csr": "------BEGIN CERTIFICATE REQUEST----\nMIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV\nBAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNQgSW5jERMA8GA1UECIRGIRGna\nlnlxGUNGMGBUb lnaWNlcnQuY29tMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo\nwp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWOBkcc2c\EmctttGb ldxRthNLOs1efOhdnWFuhI162qmcflgpiI\nWDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ\nwIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWTx+n0KfqbxXxXxXxDxDxDxDxBt4 yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ\nKoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D\nhJSZwbvEtOK0G3+dr4Fs11WuUNLsc5Lsx6a6a6a6a6a4aMMMGyMMMMMMGyXMYQmMMYQmM T3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/\nZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn\n29XI1VUNCPQGn/e7p6PyoXoXoeaRaaQo Uqy1hvJac9QFO2\n97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=\n------END CERTIFICATE REQUEST-------",
"description": "My user reader credential",
"identityURNs": [
"urn:v1:eu:identity:user:<<PASTE_YOUR_NICHANDLE_HERE>>-ovh/user", // The user with whom you connect to your managed vSphere resources and with whom you have the rights to the products (HPC, OKMS) in question.
"urn:v1:eu:identity:group:<<PASTE_YOUR_NICHANDLE_HERE>>-ovh/group" // If you use groups, you can add them here. The principle is the same as with a user within the OVHcloud ecosystem.
],
"name": "user",
"validity": 365
}

awk '{gsub(/\\n/,"\n")}1' csr_signed.pem

In step 6, you will complete the encryption activation on a virtual machine with the OKMS using a Storage Policy that we will now create.

This storage policy uses host-based policies. You must have enabled Host-based rules, and then enabled the storage policy components.

To create a storage policy, you need to access your PCC vSphere. If you have followed the previous steps, you must already be logged in to the control panel, after adding your OVHcloud KMS in step 4.

You now need to go to Policies and profiles > VM storage strategies.

Click CREATE in VM Storage Policies.

The policy creation window will now open. You are in step 1 Name and description.

You need to determine your vCenter server, which is the PCC on which you want to create your storage strategy.

Once you have PCC-XXX-XXX-XXX-XXX.ovh.XX chosen, give it a Name and Description.

You can click NEXT to continue.

This brings you to step 2, Policy structure.

Here, we will enable host-based policy rules. Select the Enable host-based rules checkbox.

To continue, click NEXT.

For step 3, you must confirm the choices in the previous step by enabling validation of the storage policy component (encryption).

For the purposes of this guide, we will leave the default setting Default encryption properties.

You must click Encryption.

Then use the storage policy component Default encryption properties.

• Storage policy component: Default encryption properties.
• Description: Storage policy component for VM and virtual disk encryption.
• Provider: VMware encryption.
• Allow I/O filters before encryption: False.

For your information, these available data services may include encryption, I/O control, caching, and so on. Host-based services will be applied in addition to the data store-specific rules.

To complete step 3, click NEXT.

In step 4 (storage compatibility), yu have the compatibility and incompatibility of your Hosted Private Cloud VMware on OVHcloud datacentre (Dedicated Cloud).

When you have finished checking the compatibility of your storage space, click NEXT.

Click FINISH to finish the last step (step 5).

Once you have created your policy, you can now enable encryption on one of your virtual machines.

Locate the virtual machine (VM) you want to encrypt. Turn it off if it is on (mandatory).

Right-click the selected virtual machine to display the shortcut menu or click ACTIONS.

Then select VM Policies.

Next, choose Modify VM storage strategies.

This will open a window or panel where you can modify the storage policies of the VM selected.

Search for encryption or security options in storage policies to enable KMS encryption for this VM.

If you deploy a new VM from an OVHcloud template, you have several choices for encrypting your VM:

• Thick Provision Lazy Zeroed.
• Thin Provision.
• Thick Provision Eager Zeroed.

Choose the one that suits you best, if you have any doubts, use this guide: Which disk format to choose.

Tick the Encrypt this VM box.

After making the necessary changes, save the changes and close the window.

You have now edited the VM storage policies and enabled KMS encryption for your server. A small padlock on your virtual machine’s summary information confirms this.

You should now clearly see a small padlock in the general view of your VM as well as in the description of the encryption.

This confirms that your policy works with the OKMS server and that encryption is enabled.