Hytrust VMware Virtual Machine Encryption

0

As we have covered in previous posts, VMware virtual machine encryption requires an external key manager.  There has been work done to allow testing this feature out by way of a cool docker container key manager.  However for those really wanting to test out a production ready key management server, Hytrust KeyControl is a production ready solution that provides a powerful means of instituting VMware virtual machine encryption.  Let’s take a look at Hytrust VMware Virtual Machine Encryption, its installation and features.

Hytrust VMware Virtual Machine Encryption Installation

One of the really nice things about Hytrust KeyControl is you can request KeyControl for no license fees from Hytrust.  Simply fill out the form located here and sales will reach out to you shortly with a license key.  Hytrust KeyControl provides really great features for those looking to institute VMware Encryption such as:

  • Easy provisioning via an OVA appliance
  • FIPS 140-2 Level 1 validated
  • FIPS 140-2 Level 3 compliance via HSM support
  • Administration via snappy UI and REST API interface for KMIP keys management
  • Ability to cluster KeyControl servers
Fill-out-the-Hytrust-KeyControl-REquest-form Hytrust VMware Virtual Machine Encryption

Fill out the Hytrust KeyControl REquest form

Let’s take a look at the installation process including deploying the Hytrust KeyControl OVA appliance and initial setup steps.  The OVA deployment process follows the usual “next, next, finish” approach.  Below, let’s just highlight a few of the notables.  On step 5 we have the Configuration option that basically sizes the appliance.  Here I am accepting the default configuration which is Recommended.  it includes 2 vCPUs and 8GB of memory.

Hytrust-KeyControl-Virtual-Machine-Encryption-Appliance-configuration Hytrust VMware Virtual Machine Encryption

Hytrust KeyControl Virtual Machine Encryption Appliance configuration

The other configuration to note is the Customize Template configuration where we specify the Network Properties of the appliance configuration.

Hytrust-KeyControl-customize-template-network-options Hytrust VMware Virtual Machine Encryption

Hytrust KeyControl customize template network options

Note how I configured the KeyControl system hostname with the FQDN.  This causes issues as you will see in the following screenshots.

Finalize-the-Hytrust-KeyControl-virtual-machine-encryption-appliance-configuration Hytrust VMware Virtual Machine Encryption

Finalize the Hytrust KeyControl virtual machine encryption appliance configuration

After finalizing the configuration, we boot the appliance.  Also, since I was deploying this in a home lab, I adjusted the configured memory on the Recommended configuration down to 4 gigs of memory and didn’t see a problem doing that.

Hytrust-KeyControl-appliance-boots Hytrust VMware Virtual Machine Encryption

Hytrust KeyControl appliance boots

After the appliance booted, I saw the following.  The network configuration does not like an FQDN for the Hostname.  Once I changed this to simply a “NETBIOS” name, it accepted it and finalized the configuration.

Hytrust-KeyControl-invalid-hostname Hytrust VMware Virtual Machine Encryption

Hytrust KeyControl invalid hostname

After the appliance finishes configuring and booting, browse out to the hostname of the appliance.

Browsing-to-the-hostname-of-our-Hytrust-KeyControl-appliance Hytrust VMware Virtual Machine Encryption

Browsing to the hostname of our Hytrust KeyControl appliance

The default username and password for the appliance is secroot/secroot.

Logging-into-the-Hytrust-KeyControl-appliance Hytrust VMware Virtual Machine Encryption

Logging into the Hytrust KeyControl appliance

Configuring Hytrust KeyControl for VMware Virtual Machine Encryption

To configure Hytrust KeyControl for VMware virtual machine encryption, we simply need to flag on a couple of options, setup a user account, and download a certificate bundle for the user.  The configuration we need to make to setup Hytrust for VMware virtual machine configuration, we navigate to the KMIP tab and make the following changes.

Enabling-KeyControl-options-to-work-with-VMware-virtual-machine-encryption Hytrust VMware Virtual Machine Encryption

Enabling KeyControl options to work with VMware virtual machine encryption

For me, the Advanced Clustering option was already set to ENABLED.  So, I only made the other two changes and documented, setting the State to Enabled and the Protocol to Version 1.1.

Making-the-changes-in-KeyControl-for-virtual-machine-encryption Hytrust VMware Virtual Machine Encryption

Making the changes in KeyControl for virtual machine encryption

Adding a User Account for Virtual Machine Encryption

After flagging on the appropriate options in the KMIP configuration, we need to add a user account to use with establishing trust with vCenter.   This is configuring on the KMIP tab, Users page.  Select the Actions menu and choose to Create User.

Create-a-User-account-in-Hytrust-to-establish-trust-with-vCenter-Server Hytrust VMware Virtual Machine Encryption

Create a User account in Hytrust to establish trust with vCenter Server

To create a new user, we simply set the username and the Cert Expiration date.  DO NOT set the Password.  Click the Create button.

Name-the-Hytrust-user-and-configure-the-certificate-expiration Hytrust VMware Virtual Machine Encryption

Name the Hytrust user and configure the certificate expiration

Click on the user you just created and then choose the Actions menu again and select the Download Certificate option.

Download-the-certificate-for-the-newly-created-user Hytrust VMware Virtual Machine Encryption

Download the certificate for the newly created user

Establishing Trust between Hytrust KeyControl and vCenter Server

To get started adding a KMS server in vCenter, in the Web client, click on your vCenter server >> Configure >> Key Management Servers.  Then click the Add KMS button.  Create a name and add the address for the Hytrust KeyControl server.

Add-Key-Management-Server-in-vCenter Hytrust VMware Virtual Machine Encryption

Download the certificate for the newly created user

vCenter will ask if you want it to be the default.

Setting-the-Hytrust-KeyControl-KMS-server-as-default Hytrust VMware Virtual Machine Encryption

Setting the Hytrust KeyControl KMS server as default

After adding, we need to Establish trust with KMS server we have added by clicking the button.

Click-the-Establish-Trust-with-KMS-button Hytrust VMware Virtual Machine Encryption

Click the Establish Trust with KMS Server button

The Establish Trust With KMS box will launch.  Click the Upload certficate and private key option at the bottom.

Choose-to-upload-the-certificate-and-private-key Hytrust VMware Virtual Machine Encryption

Choose to upload the certificate and private key

Here we will use the certificate downloaded from the Hytrust KeyControl server.  Upload the .pem file for the user created to both the certificate and private key boxes.

Upload-the-same-Hytrust-KeyControl-user-certificate-in-both-the-certificate-and-private-key Hytrust VMware Virtual Machine Encryption

Upload the same Hytrust KeyControl user certificate in both the certificate and private key

We should now see that trust has been established between the Hytrust server and vCenter with “green checks”.

After-establishing-trust-between-the-Hytrust-KeyControl-server-and-vCenter Hytrust VMware Virtual Machine Encryption

After establishing trust between the Hytrust KeyControl server and vCenter

We can now follow the normal process of encrypting a virtual machine by setting the storage policy.  In the Audit tab of Hytrust, after we encrypt a virtual machine, you can see in the process of encryption that happens from the Hytrust side.

After-encrypting-a-virtual-machine-with-Hytrust-KeyControl Hytrust VMware Virtual Machine Encryption

After encrypting a virtual machine with Hytrust KeyControl

Thoughts

The Hytrust VMware Virtual Machine Encryption solution is very slick.  The OVA appliance deploys very quickly and is easily configurable.  The web interface with KeyControl is also very intuitive and I found the documentation on the Hytrust site for configuring KeyControl for VMware virtual machine encryption to be accurate and easy to follow.  Within only a few minutes I was able to get up and running with Hytrust KeyControl and had a virtual machine encrypted.  This solution offers a lot of powerful features including clustering.  Without support the solution is free.  Support for Hytrust KeyControl is a paid for product so if using in production, support is more than likely something you will want to include.  Otherwise, to have the product free of charge and be able to get up and running quickly with virtual machine encryption is very cool.