Configure VMware vSphere Encryption Key Management Server Cluster
One of the exciting features with vSphere 6.5 is the ability to perform virtual machine encryption. We have already taken a look at Hytrust KeyControl as a great way to perform virtual machine encryption. When thinking about virtual machine encryption and the high availability aspect of the solution, we want to make sure to have more than one server hosting the KMS infrastructure. Hytrust has this functionality built into the product as when you install the first KeyControl server, it installs the KeyControl “cluster”. Let’s take a look at the steps required to configure VMware vSphere encryption key management server cluster using Hytrust KeyControl.
Architecture of the HyTrust KeyControl Cluster
The HyTrust KeyControl cluster setup can function as a single node cluster but it is recommended to configure the active-active setup by adding another node to the cluster configuration. HyTrust supports any number of nodes, however at a minimum, most customers will want to configure at least two nodes.
When you log into any HyTrust KeyControl node and make changes, those changes are automatically replicated to all other nodes in the cluster. To setup a multi-node HyTrust KeyControl cluster, all nodes need to run the same version of HyTrust KeyControl.
When it comes to upgrading the HyTrust KeyControl cluster, according the latest documentation I could find from HyTrust, they only support “upgrading” one KeyControl node. Also, you can only upgrade to the next successive version and not make jumps over to the newest if you have not kept upgraded to the successive iterative releasses.
Configure VMware vSphere Encryption Key Management Server Cluster
First, off, you will need to install your first Hytrust KeyControl server. Take a look at the post we have already written covering how to do that here. Now, we need to follow the same steps to deploy a second Hytrust KeyControl KMS server for use in joining the KMS cluster. The following steps are taken after the initial deployment of the OVA appliance to bring online the second KeyControl server.
Login to the direct console of the newly deployed HyTrust KeyControl appliance. You should see the message asking if you want to add this system as a new node to an existing KeyControl cluster.
Click OK on the “informational” message concerning HyTrust authentication.
Next, we enter a description for the new HyTrust KeyControl node. This is helpful if you have nodes spread across geographic regions. The description can provide a means to easily identify them.
The next screen has you enter the IP address or hostname for existing KeyControl cluster node.
If you have any issues with DNS configured on your new appliance, you will see an error similar to the below indicating a failure connecting to the specified FQDN.
If you have Require Authentication Passphrase set to Yes, you will need to enter a passphrase that will be used in the webGUI to finish out the join of the new node to the cluster.
After configuring the new passphrase, you will be directed to complete authentication in the webGUI.
In the existing HyTrust KeyControl node, navigate to Cluster >> Servers. You will see the new node listed. However, note the authenticated column. You will see the status of No.
Click the new server. Then click Actions >> Authenticate.
This will launch the Authenticate Cluster box. Enter the passphrase you created in the direct console configuration. Then click the Authenticate button.
After authenticating, you will see the Status showing as Online and the Authenticated status as Yes.
We now have a functioning HyTrust KeyControl active-active cluster configured.
Concluding Thoughts
The new virtual machine encryption feature found in VMware vSphere 6.5 is an exciting new feature. It requires the use of the key management server for encryption keys. HyTrust is one of the recommended and approved KMS vendors with their KeyControl product. Having the ability to stand up a “cluster” using the built in HyTrust KeyControl functionality is a great way to provide vmware encryption high availability to the key management server infrastructure. With KeyControl, the process to configure VMware vSphere encryption Key Management Server cluster is quite straightforward and can be accomplished in just a few minutes. Fill out the form here to obtain a copy of the HyTrust KeyControl server appliance.
