Using multiple KMS clusters in vCenter

VMware vCenter Server allows you to create multiple KMS clusters, but does not currently provide a policy-based mechanism by which you can direct particular objects to be protected by a specific KMS cluster. Instead, for both vSphere and vSAN encryption, all new objects requiring encryption are protected by the default KMS cluster.

However, VMware architect Mike Foley has provided us with some helpful PowerCLI ammunition which we can leverage in order to rekey objects under the protection of the KMS cluster of our choice. You can use this approach either to manage multiple KMS connections, or alternatively to migrate from one KMS to another without decrypting your resources. Here are the steps that I’ve used to test this capability:

First, you need to connect vCenter to each of your KMS clusters. You can leverage the same client certificate or different client certificates, as you wish. If you are configuring multiple connections to the same key manager, you will need to distinguish these connections with their own username and password. Choose one of your KMS clusters to be the default key provider. Using the VMEncryption module’s Get-KMSCluster cmdlet, you can now see you are connected to two clusters:

PS /Users/smoonen/vmware> Get-KMSCluster

Name                      DefaultForSystem     ClientCertificateExpiryDate
----                      ----------------     ---------------------------
management-kms            False                4/5/2030 5:33:48 PM
workload-kms              True                 4/5/2030 5:51:42 PM

Here you can see we have created two VMs that are both protected by the default KMS cluster:

PS /Users/smoonen/vmware> Get-VM | Select Name,KMSserver

Name        KMSserver
----        ---------
testvm-2    workload-kms
testvm-1    workload-kms

The VMEncryption module’s Set-VMEncryptionKey cmdlet allows us to rekey one of these VMs using an alternate KMS cluster:

PS /Users/smoonen/vmware> Get-VM testvm-2 | Set-VMEncryptionKey -KMSClusterId management-kms

PS /Users/smoonen/vmware> Get-VM | Select Name,KMSserver

Name        KMSserver
----        ---------
testvm-2    management—kms
testvm-1    workload-kms

There are two other types of resources that we may need to rekey in this manner are hosts and vSAN clusters. If a vSphere cluster is using either vSphere or vSAN encryption, recall that your hosts are issued keys for encryption of core dumps. You can rekey your hosts using the Set-VMHostCryptoKey cmdlet.

PS /Users/smoonen/vmware> Get-VMhost | Select Name,KMSserver

Name                        KMSserver
----                        ---------
host000.smoonen.example.com management-kms
host001.smoonen.example.com management-kms

PS /Users/smoonen/vmware> Get-VMHost -Name host000.smoonen.example.com | Set-VMHostCryptoKey -KMSClusterId workload-kms

PS /Users/smoonen/vmware> Get-VMHost -Name host001.smoonen.example.com | Set-VMHostCryptoKey -KMSClusterId workload-kms

PS /Users/smoonen/vmware> Get-VMHost | Select Name,KMSserver

Name                        KMSserver
----                        ---------
host000.smoonen.example.com workload-kms
host001.smoonen.example.com workload-kms

Likewise, VMware offers a VsanEncryption module that allows you to rekey your vSAN cluster using a new KMS. The Set-VsanEncryptionKms cmdlet allows you to choose a new KMS cluster for any given vSAN cluster:

PS /Users/smoonen/vmware> Set-VsanEncryptionKms -Cluster cluster1 -KMSCluster workload-kms

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s