EdSp
Enthusiast
Enthusiast

Native Key Provider

Jump to solution

When using a real KMS, the guidance would always be to have the KMS appliance VM hosted on a server outside a vSAN cluster that you are encrypting.

Is there confirmation that when using the Native Key Provider, this guidance no longer holds? I.e. I can now use the vSAN cluster’s vCenter to provide the NKP to encrypt that same cluster?

I did cold boot a node (the one with the VCSA) in an NKP-encrypted cluster, which came back up without issue.

Tx,

Ed

Labels (1)
  • vi

0 Kudos
1 Solution

Accepted Solutions
depping
Leadership
Leadership

you are correct, for the NKP this is different, mainly as the NKP is not a KMS, so the dependency is completely different 🙂

View solution in original post

8 Replies
depping
Leadership
Leadership

you are correct, for the NKP this is different, mainly as the NKP is not a KMS, so the dependency is completely different 🙂

EdSp
Enthusiast
Enthusiast

For same reasons, is it correct to expect that it is also supported without issue for a stretched cluster then? 

0 Kudos
ggovek
Enthusiast
Enthusiast

Hi,

I have a question about Configuring and Managing vSphere Native Key Provider.

Before we configure the Native Key Provider in the vCenter server, whether TPM 2.0 needs to be enabled on the ESXi server?

I can't find this information in bellow documentation:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-2F18E7A0-707F-473...

Tags (1)
0 Kudos
depping
Leadership
Leadership

AFAIK TPM is not a requirement for the Native Key provider. If you have TPM it will use it though and it is recommended from a security point of view.

ggovek
Enthusiast
Enthusiast

OK, thanks for your information!

But if we enable TPM 2.0 on the ESXi server, do we disconnect and reconnect the host again from the vCenter Server and then configure NKP?

0 Kudos
depping
Leadership
Leadership

I have never gone through that process unfortunately, but I would think that vCenter picks it up automatically after you enable it and reboot the host. The host will report the hardware normally.

0 Kudos
depping
Leadership
Leadership

@ggovek wrote:

Hi,

I have a question about Configuring and Managing vSphere Native Key Provider.

Before we configure the Native Key Provider in the vCenter server, whether TPM 2.0 needs to be enabled on the ESXi server?

I can't find this information in bellow documentation:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-2F18E7A0-707F-473...


 

 

Just was pointed to this page: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-54B9FBA2-FDB1-400...

 

it indeed states that TPM is not a requirement. Have also asked to get it posted on the page you mentioned ggovek.

0 Kudos
Belkacem1
Contributor
Contributor

Hello

if we don't use TPM on the ESXi hosts and they lose access to the vcenter server, can they still recover?

0 Kudos