vSphere 6.5

Hytrust VMware Virtual Machine Encryption

Hytrust VMware Virtual Machine Encryption is a powerful solution that allows quickly getting up and running with virtual machine encryption in vsphere
Brandon LeeDecember 18, 2017Last Updated: December 1, 2023
4 minutes read
Hytrust-KeyControl-appliance-boots
Hytrust-KeyControl-appliance-boots

As we have covered in previous posts, VMware virtual machine encryption requires an external key manager.ย  There has been work done to allow testing this feature out by way of a cool docker container key manager.ย  However for those really wanting to test out a production ready key management server, Hytrust KeyControl is a production ready solution that provides a powerful means of instituting VMware virtual machine encryption.ย  Let’s take a look at Hytrust VMware Virtual Machine Encryption, its installation and features.

Hytrust VMware Virtual Machine Encryption Installation

One of the really nice things about Hytrust KeyControl is you can request KeyControl for no license fees from Hytrust.ย  Simply fill out the form located here and sales will reach out to you shortly with a license key.ย  Hytrust KeyControl provides really great features for those looking to institute VMware Encryption such as:

  • Easy provisioning via an OVA appliance
  • FIPS 140-2 Level 1 validated
  • FIPS 140-2 Level 3 compliance via HSM support
  • Administration via snappy UI and REST API interface for KMIP keys management
  • Ability to cluster KeyControl servers
Fill-out-the-Hytrust-KeyControl-REquest-form
Fill out the Hytrust KeyControl REquest form

Let’s take a look at the installation process including deploying the Hytrust KeyControl OVA appliance and initial setup steps.ย  The OVA deployment process follows the usual “next, next, finish” approach.ย  Below, let’s just highlight a few of the notables.ย  Onย step 5 we have theย Configurationย option that basically sizes the appliance.ย  Here I am accepting the default configuration which isย Recommended.ย  it includes 2 vCPUs and 8GB of memory.

Hytrust-KeyControl-Virtual-Machine-Encryption-Appliance-configuration
Hytrust KeyControl Virtual Machine Encryption Appliance configuration

The other configuration to note is theย Customize Templateย configuration where we specify theย Network Properties of the appliance configuration.

Hytrust-KeyControl-customize-template-network-options
Hytrust KeyControl customize template network options

Note how I configured theย KeyControl system hostname with the FQDN.ย  This causes issues as you will see in the following screenshots.

Finalize-the-Hytrust-KeyControl-virtual-machine-encryption-appliance-configuration
Finalize the Hytrust KeyControl virtual machine encryption appliance configuration

After finalizing the configuration, we boot the appliance.ย  Also, since I was deploying this in a home lab, I adjusted the configured memory on theย Recommendedย configuration down to 4 gigs of memory and didn’t see a problem doing that.

Hytrust-KeyControl-appliance-boots
Hytrust KeyControl appliance boots

After the appliance booted, I saw the following.ย  The network configuration does not like an FQDN for theย Hostname.ย  Once I changed this to simply a “NETBIOS” name, it accepted it and finalized the configuration.

Hytrust-KeyControl-invalid-hostname
Hytrust KeyControl invalid hostname

After the appliance finishes configuring and booting, browse out to the hostname of the appliance.

Browsing-to-the-hostname-of-our-Hytrust-KeyControl-appliance
Browsing to the hostname of our Hytrust KeyControl appliance

The default username and password for the appliance isย secroot/secroot.

Logging-into-the-Hytrust-KeyControl-appliance
Logging into the Hytrust KeyControl appliance

Configuring Hytrust KeyControl for VMware Virtual Machine Encryption

To configure Hytrust KeyControl for VMware virtual machine encryption, we simply need to flag on a couple of options, setup a user account, and download a certificate bundle for the user.ย  The configuration we need to make to setup Hytrust for VMware virtual machine configuration, we navigate to theย KMIP tab and make the following changes.

Enabling-KeyControl-options-to-work-with-VMware-virtual-machine-encryption
Enabling KeyControl options to work with VMware virtual machine encryption

For me, theย Advanced Clustering option was already set toย ENABLED.ย  So, I only made the other two changes and documented, setting theย State to Enabled andย the Protocol to Version 1.1.

Making-the-changes-in-KeyControl-for-virtual-machine-encryption
Making the changes in KeyControl for virtual machine encryption

Adding a User Account for Virtual Machine Encryption

After flagging on the appropriate options in the KMIP configuration, we need to add a user account to use with establishing trust withย vCenter.ย  ย This is configuring on theย KMIP tab,ย Users page.ย  Select theย Actions menu and choose toย Create User.

Create-a-User-account-in-Hytrust-to-establish-trust-with-vCenter-Server
Create a User account in Hytrust to establish trust with vCenter Server

To create a new user, we simply set theย username and theย Cert Expiration date.ย  DO NOTย set theย Password.ย  Click theย Createย button.

Name-the-Hytrust-user-and-configure-the-certificate-expiration
Name the Hytrust user and configure the certificate expiration

Click on the user you just created and then choose theย Actions menu again and select theย Download Certificateย option.

Download-the-certificate-for-the-newly-created-user
Download the certificate for the newly created user

Establishing Trust between Hytrust KeyControl and vCenter Server

To get started adding a KMS server in vCenter, in the Web client, click on your vCenter server >>ย Configure >> Key Management Servers.ย  Then click theย Add KMS button.ย  Create a name and add the address for the Hytrust KeyControl server.

Add-Key-Management-Server-in-vCenter
Download the certificate for the newly created user

vCenter will ask if you want it to be the default.

Setting-the-Hytrust-KeyControl-KMS-server-as-default
Setting the Hytrust KeyControl KMS server as default

After adding, we need toย Establish trust with KMS server we have added by clicking the button.

Click-the-Establish-Trust-with-KMS-button
Click the Establish Trust with KMS Server button

Theย Establish Trust With KMSย box will launch.ย  Click theย Upload certficate and private key option at the bottom.

Choose-to-upload-the-certificate-and-private-key
Choose to upload the certificate and private key

Here we will use the certificate downloaded from the Hytrust KeyControl server.ย  Upload the .pem file for the user created to both theย certificate andย private key boxes.

Upload-the-same-Hytrust-KeyControl-user-certificate-in-both-the-certificate-and-private-key
Upload the same Hytrust KeyControl user certificate in both the certificate and private key

We should now see that trust has been established between the Hytrust server and vCenter with “green checks”.

After-establishing-trust-between-the-Hytrust-KeyControl-server-and-vCenter
After establishing trust between the Hytrust KeyControl server and vCenter

We can now follow the normal process of encrypting a virtual machine by setting the storage policy.ย  In theย Audit tab of Hytrust, after we encrypt a virtual machine, you can see in the process of encryption that happens from the Hytrust side.

After-encrypting-a-virtual-machine-with-Hytrust-KeyControl
After encrypting a virtual machine with Hytrust KeyControl

Thoughts

The Hytrust VMware Virtual Machine Encryption solution is very slick.ย  The OVA appliance deploys very quickly and is easily configurable.ย  The web interface with KeyControl is also very intuitive and I found the documentation on the Hytrust site for configuring KeyControl for VMware virtual machine encryption to be accurate and easy to follow.ย  Within only a few minutes I was able to get up and running with Hytrust KeyControl and had a virtual machine encrypted.ย  This solution offers a lot of powerful features including clustering.ย  Without support the solution is free.ย  Support for Hytrust KeyControl is a paid for product so if using in production, support is more than likely something you will want to include.ย  Otherwise, to have the product free of charge and be able to get up and running quickly with virtual machine encryption is very cool.

Brandon LeeDecember 18, 2017Last Updated: December 1, 2023
4 minutes read

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Photo of Brandon Lee

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

consolidate01

VMware Disk Consolidation unable to access file since it is locked

March 16, 2017
esxi65_01

VMware ESXi 6.5 Install step by step

November 16, 2016
VMware-vCenter-Server-client-plugins

Managing Disabling Deleting VMware vCenter Server Plugins

August 29, 2017
Download-PERCCLI-utility-from-Dell-Support-site

Manage Dell RAID in VMware ESXi 6.5 with PERCCLI

November 1, 2017

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | VirtualizationHowto.com