VMware Cloud Community
EdSp
Enthusiast
Enthusiast
‎05-27-2021 04:40 AM
Jump to solution

Native Key Provider

When using a real KMS, the guidance would always be to have the KMS appliance VM hosted on a server outside a vSAN cluster that you are encrypting.

Is there confirmation that when using the Native Key Provider, this guidance no longer holds? I.e. I can now use the vSAN cluster’s vCenter to provide the NKP to encrypt that same cluster?

I did cold boot a node (the one with the VCSA) in an NKP-encrypted cluster, which came back up without issue.

Tx,

Ed

Labels (1)
Labels

  • vi

Reply
0 Kudos
1 Solution

Accepted Solutions
depping
Leadership
Leadership
‎05-27-2021 04:51 AM
Jump to solution

you are correct, for the NKP this is different, mainly as the NKP is not a KMS, so the dependency is completely different 🙂

View solution in original post

Reply
8 Replies
depping
Leadership
Leadership
‎05-27-2021 04:51 AM
Jump to solution

you are correct, for the NKP this is different, mainly as the NKP is not a KMS, so the dependency is completely different 🙂

Reply
EdSp
Enthusiast
Enthusiast
‎05-28-2021 01:22 AM
Jump to solution

For same reasons, is it correct to expect that it is also supported without issue for a stretched cluster then? 

Reply
0 Kudos
ggovek
Enthusiast
Enthusiast
‎02-23-2022 02:12 AM
Jump to solution

Hi,

I have a question about Configuring and Managing vSphere Native Key Provider.

Before we configure the Native Key Provider in the vCenter server, whether TPM 2.0 needs to be enabled on the ESXi server?

I can't find this information in bellow documentation:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-2F18E7A0-707F-473...

Tags (1)
Reply
0 Kudos
depping
Leadership
Leadership
‎02-23-2022 02:27 AM
Jump to solution

AFAIK TPM is not a requirement for the Native Key provider. If you have TPM it will use it though and it is recommended from a security point of view.

Reply
ggovek
Enthusiast
Enthusiast
‎02-23-2022 02:40 AM
Jump to solution

OK, thanks for your information!

But if we enable TPM 2.0 on the ESXi server, do we disconnect and reconnect the host again from the vCenter Server and then configure NKP?

Reply
0 Kudos
depping
Leadership
Leadership
‎02-23-2022 02:52 AM
Jump to solution

I have never gone through that process unfortunately, but I would think that vCenter picks it up automatically after you enable it and reboot the host. The host will report the hardware normally.

Reply
0 Kudos
depping
Leadership
Leadership
‎02-24-2022 12:58 AM
Jump to solution

@ggovek wrote:

Hi,

I have a question about Configuring and Managing vSphere Native Key Provider.

Before we configure the Native Key Provider in the vCenter server, whether TPM 2.0 needs to be enabled on the ESXi server?

I can't find this information in bellow documentation:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-2F18E7A0-707F-473...

 

 

Just was pointed to this page: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-54B9FBA2-FDB1-400...

 

it indeed states that TPM is not a requirement. Have also asked to get it posted on the page you mentioned ggovek.

Reply
0 Kudos
Belkacem1
Contributor
Contributor
‎04-12-2022 09:12 AM
Jump to solution

Hello

if we don't use TPM on the ESXi hosts and they lose access to the vcenter server, can they still recover?

Reply
0 Kudos