VMware vSphere

 View Only

  • 1.  Native Key Provider

    Posted May 27, 2021 11:41 AM

    When using a real KMS, the guidance would always be to have the KMS appliance VM hosted on a server outside a vSAN cluster that you are encrypting.

    Is there confirmation that when using the Native Key Provider, this guidance no longer holds? I.e. I can now use the vSAN cluster’s vCenter to provide the NKP to encrypt that same cluster?

    I did cold boot a node (the one with the VCSA) in an NKP-encrypted cluster, which came back up without issue.

    Tx,

    Ed



  • 2.  RE: Native Key Provider
    Best Answer

    Broadcom Employee
    Posted May 27, 2021 11:51 AM

    you are correct, for the NKP this is different, mainly as the NKP is not a KMS, so the dependency is completely different



  • 3.  RE: Native Key Provider

    Posted May 28, 2021 08:22 AM

    For same reasons, is it correct to expect that it is also supported without issue for a stretched cluster then? 



  • 4.  RE: Native Key Provider

    Posted Feb 23, 2022 10:13 AM

    Hi,

    I have a question about Configuring and Managing vSphere Native Key Provider.

    Before we configure the Native Key Provider in the vCenter server, whether TPM 2.0 needs to be enabled on the ESXi server?

    I can't find this information in bellow documentation:

    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-2F18E7A0-707F-4739-A0B4-9A363F1C3213.html



  • 5.  RE: Native Key Provider

    Broadcom Employee
    Posted Feb 23, 2022 10:28 AM

    AFAIK TPM is not a requirement for the Native Key provider. If you have TPM it will use it though and it is recommended from a security point of view.



  • 6.  RE: Native Key Provider

    Posted Feb 23, 2022 10:40 AM

    OK, thanks for your information!

    But if we enable TPM 2.0 on the ESXi server, do we disconnect and reconnect the host again from the vCenter Server and then configure NKP?



  • 7.  RE: Native Key Provider

    Broadcom Employee
    Posted Feb 23, 2022 10:52 AM

    I have never gone through that process unfortunately, but I would think that vCenter picks it up automatically after you enable it and reboot the host. The host will report the hardware normally.



  • 8.  RE: Native Key Provider

    Broadcom Employee
    Posted Feb 24, 2022 08:58 AM
     wrote:

    Hi,

    I have a question about Configuring and Managing vSphere Native Key Provider.

    Before we configure the Native Key Provider in the vCenter server, whether TPM 2.0 needs to be enabled on the ESXi server?

    I can't find this information in bellow documentation:

    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-2F18E7A0-707F-4739-A0B4-9A363F1C3213.html

     

     

    Just was pointed to this page: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-54B9FBA2-FDB1-400B-A6AE-81BF3AC9DF97.html

     

    it indeed states that TPM is not a requirement. Have also asked to get it posted on the page you mentioned ggovek.



  • 9.  RE: Native Key Provider

    Posted Apr 12, 2022 04:13 PM

    Hello

    if we don't use TPM on the ESXi hosts and they lose access to the vcenter server, can they still recover?