Introducing the vSphere Native Key Provider
VMware vSphere has serious data-at-rest protections, like vSAN Encryption, VM encryption, and virtual TPMs (vTPM) for workloads. Many customers are successfully using these features as part of their data-at-rest security strategies. As vTPM use grows, through interest in security and mandates as part of compliance, we asked customers who weren’t using data-at-rest encryption what was holding them back. What did they tell us? “It’s not easy enough.”
Challenge accepted! With vSphere 7 Update 2 we are proud to introduce the vSphere Native Key Provider, a mechanism to enable vTPM, VM Encryption, and vSAN Encryption that exists completely within vSphere itself. It is driven by vCenter Server and clustered ESXi hosts and, to vSphere, enables nearly the same functionality as with a traditional Key Management Service (KMS). With this, customers of all sizes have better access to encryption technologies.
How does it work?
How does it work? Pretty simple. In the vSphere Client browse to the vCenter Server’s “Configure” tab, choose “Key Providers” on the left, and then Add a new Native Key Provider:
Follow the prompts and be sure you protect the password you use as well as the encryption key that is downloaded as part of the initial backup. Losing those things will make it impossible to recover workloads if there is a problem. You will not be able to use the key provider until you have backed it up once.
Is it right for you?
Security is usually a tradeoff in some way, and this is no different. We say that Native Key Provider is not intended as a replacement for a KMS system, mostly because it only serves vSphere, whereas KMSes can also serve other infrastructure like storage arrays, tape libraries, and such. It is intended as an easy way to add encryption capabilities in environments where it makes sense, and to help folks grow into better security practices. It will be great for some customers but not right for everyone. Traditional KMS implementations offer different things to different customers, like hardware root-of-trust via their hardware security modules (HSMs), redundancy, better resiliency, APIs and KMIP support, and a wide range of compliance validations. Most notably, a traditional KMS can be used for multiple systems in an organization. vSphere Native Key Provider can only serve vSphere itself. If you have a tape library, storage array, or other system that needs a KMS you will still need a true KMS.
All that said, though, this is a nice option to enable on-disk encryption with VM Encryption, vSAN Encryption, and vTPM for customers of all sizes.
For more information check out our Introduction to vSphere Native Key Provider video on our vSphere YouTube Channel (now with sound, thank you to those who reached out!):