Discussion - Sovereign Cloud Bring Your Own Encryption Tech Preview Community Site topics

vCD 10.4.2.2 solution add on

tandoiluca — Mon, 30 Oct 2023 17:03:32 GMT

Hi all, we are working with a Cloud Region having a fresh upgrade to vCD 10.4.2.2 and we aren't able to display the solution add on menù.

We have tried:

/opt/vmware/vcloud-director/bin/cell-management-tool manage-config --name vmware.solutions.add.on.bootstrap.completed --value no

As per description on the Landing Zone documentation and we have tried to restart the vCD Cells but without result (no menù Solution Add On appears).

Please, could anyone suggests another option to obtain the result?

Thanks

Named disks and catalog templates encryption

m1gu3l — Tue, 17 Oct 2023 07:55:24 GMT

Although we have configured a Key Provider for an OrgVDC using the BYOE add-on, we observe that the Named Disks created on that OrgVDC and the vApp templates stored in a catalog backed-up by that OrgVDC are encrypted using the default KMS, not with the KMS associated to the Key Provider assigned to the OrgVDC.

Is that the expected behavior? Will Named Disks and vApp Template encryption be supported by the BYOK add-on in the GA version or future versions?

Thanks,

Miguel

Deep recrypt

m1gu3l — Tue, 17 Oct 2023 07:47:57 GMT

In Bring Your Own Encryption, when going to a key provider, selecting an OrgVDC and performing the "Change Key" operation, we have observed in vSphere that only a shallow recrypt (i.e., at KEK level) of the VMs is performed.

Is there a way to perform a deep recrypt (i.e., KEK + DEK)? If not, will it be included in the GA version or future versions of the add-on?

Thanks,

Miguel

KMS server registration does not work with proxy configuration

nhutphan1987 — Thu, 07 Sep 2023 03:51:03 GMT

Dear VMware,

I'd like to inform you about the issue when registering a KMS server in BYOE. We have the external KMS and configuring the proxy on BYOE when registering a KMS server but after registering, it does not work. We checked on VCD UI and vCenter key Provider, the proxy settings not be saved, and the proxy settings always empty on VCD and vCenter. To fix it, we have to configure vCenter access to the internet directly to finish the Register external KMS server without Proxy settings. We are using VCD 10.5 GA.

Cannot create an instance of Bring Your Own Encryption with UI

nhutphan1987 — Thu, 07 Sep 2023 03:27:28 GMT

Dear VMware team,

I'd like to inform you about the issue when I tried to create the instance of BYOE with GUI following your Tech Preview Document. We can not create an instance of BYOE with UI, the error shows "can not research Public URL of VCD".

We created an instance of BYOE with CLI successfully, we used a Linux host in the same Organization VDC of Solution Landing Zone to do that. We are using VCD 10.5 GA.

Feedback on BYOEaaS

smoonen — Tue, 29 Aug 2023 18:59:57 GMT

I've reviewed the documentation - thanks - but haven't had a chance to test this yet.

It's interesting to me that this solution exists in a space in between provider and tenant. Unlike the org SSO configuration, there is some responsibility on the provider's part to establish connectivity to the KMS. However, there is still a tenant responsibility to authenticate with the KMS.

In the enterprise context, I can understand why this might be a good arrangement. However, in a cloud context, it is likely that the cloud provider is managing both Director and the KMS. In this case the cloud provider might have means of managing both the network connectivity to KMS as well as the authentication to KMS. As a result:

1. It seems desirable to me for this solution to optionally allow the provider to manage authentication instead of the tenant. In this case, the provider should be able not only to publish the KMS to a tenant org, but there should be a way to ensure that existing and new tenant VDCs are enrolled in the KMS rather than in the default key provider.
2. It seems highly desirable to me for APIs or CLIs to be exposed allowing the provider to automate all of this configuration. The documentation as currently written only shows UI operations.

In fact I had pictured that this feature would be offered by establishing a vCenter KMS connection and selecting a Key Provider per org much like vCenter today allows you to select a Key Provider per cluster. It's interesting to me that you've chosen to implement this as a solution addon instead.

Thanks for the opportunity to review this early!