Configure VMware vSphere Encryption Key Management Server Cluster

0

One of the exciting features with vSphere 6.5 is the ability to perform virtual machine encryption. We have already taken a look at Hytrust KeyControl as a great way to perform virtual machine encryption. When thinking about virtual machine encryption and the high availability aspect of the solution, we want to make sure to have more than one server hosting the KMS infrastructure. Hytrust has this functionality built into the product as when you install the first KeyControl server, it installs the KeyControl “cluster”. Let’s take a look at the steps required to configure VMware vSphere encryption key management server cluster using Hytrust KeyControl.

Architecture of the HyTrust KeyControl Cluster

The HyTrust KeyControl cluster setup can function as a single node cluster but it is recommended to configure the active-active setup by adding another node to the cluster configuration. HyTrust supports any number of nodes, however at a minimum, most customers will want to configure at least two nodes.

When you log into any HyTrust KeyControl node and make changes, those changes are automatically replicated to all other nodes in the cluster. To setup a multi-node HyTrust KeyControl cluster, all nodes need to run the same version of HyTrust KeyControl.

When it comes to upgrading the HyTrust KeyControl cluster, according the latest documentation I could find from HyTrust, they only support “upgrading” one KeyControl node. Also, you can only upgrade to the next successive version and not make jumps over to the newest if you have not kept upgraded to the successive iterative releasses.

Configure VMware vSphere Encryption Key Management Server Cluster

First, off, you will need to install your first Hytrust KeyControl server.  Take a look at the post we have already written covering how to do that here.  Now, we need to follow the same steps to deploy a second Hytrust KeyControl KMS server for use in joining the KMS cluster.  The following steps are taken after the initial deployment of the OVA appliance to bring online the second KeyControl server.

Login to the direct console of the newly deployed HyTrust KeyControl appliance.  You should see the message asking if you want to add this system as a new node to an existing KeyControl cluster.

Begin-the-process-to-connect-the-new-HyTrust-KeyControl-server-to-the-cluster Configure VMware vSphere Encryption Key Management Server Cluster

Begin the process to connect the new HyTrust KeyControl server to the cluster

Click OK on the “informational” message concerning HyTrust authentication.

Information-on-joining-the-existing-HyTrust-KeyControl-cluster Configure VMware vSphere Encryption Key Management Server Cluster

Information on joining the existing HyTrust KeyControl cluster

Next, we enter a description for the new HyTrust KeyControl node.  This is helpful if you have nodes spread across geographic regions.  The description can provide a means to easily identify them.

Enter-a-description-for-the-new-HyTrust-KeyControl-KMS-server Configure VMware vSphere Encryption Key Management Server Cluster

Enter a description for the new HyTrust KeyControl KMS server

The next screen has you enter the IP address or hostname for existing KeyControl cluster node.

Enter-the-IP-or-hostname-of-the-existing-HyTrust-KeyControl-cluster-node Configure VMware vSphere Encryption Key Management Server Cluster

Enter the IP or hostname of the existing HyTrust KeyControl cluster node

If you have any issues with DNS configured on your new appliance, you will see an error similar to the below indicating a failure connecting to the specified FQDN.

Make-sure-you-have-DNS-setup-correctly-if-using-FQDN-or-you-may-receive-an-error Configure VMware vSphere Encryption Key Management Server Cluster

Make sure you have DNS setup correctly if using FQDN or you may receive an error

If you have Require Authentication Passphrase set to Yes, you will need to enter a passphrase that will be used in the webGUI to finish out the join of the new node to the cluster.

Enter-a-security-configuration-passphrase-for-joining-the-existing-HyTrust-KeyControl-cluster Configure VMware vSphere Encryption Key Management Server Cluster

Enter a security configuration passphrase for joining the existing HyTrust KeyControl cluster

After configuring the new passphrase, you will be directed to complete authentication in the webGUI.

Initial-configuration-complete-will-need-to-finish-in-the-webGUI Configure VMware vSphere Encryption Key Management Server Cluster

Initial configuration complete will need to finish in the webGUI

In the existing HyTrust KeyControl node, navigate to Cluster >> Servers.  You will see the new node listed.  However, note the authenticated column.  You will see the status of No.

Navigate-to-clusters-and-servers-to-see-the-status-of-HyTrust-KeyControl-cluster-nodes Configure VMware vSphere Encryption Key Management Server Cluster

Navigate to clusters and servers to see the status of HyTrust KeyControl cluster nodes

Click the new server.  Then click Actions >> Authenticate.

Authenticating-the-new-HyTrust-KeyControl-server-node Configure VMware vSphere Encryption Key Management Server Cluster

Authenticating the new HyTrust KeyControl server node

This will launch the Authenticate Cluster box.  Enter the passphrase you created in the direct console configuration.  Then click the Authenticate button.

Enter-the-HyTrust-KeyControl-authentication-phrase Configure VMware vSphere Encryption Key Management Server Cluster

Enter the HyTrust KeyControl authentication phrase

After authenticating, you will see the Status showing as Online and the Authenticated status as Yes.

After-authenticating-the-new-HyTrust-KeyControl-node-should-show-as-online-and-authenticated Configure VMware vSphere Encryption Key Management Server Cluster

After authenticating the new HyTrust KeyControl node should show as online and authenticated

We now have a functioning HyTrust KeyControl active-active cluster configured.

Concluding Thoughts

The new virtual machine encryption feature found in VMware vSphere 6.5 is an exciting new feature. It requires the use of the key management server for encryption keys. HyTrust is one of the recommended and approved KMS vendors with their KeyControl product. Having the ability to stand up a “cluster” using the built in HyTrust KeyControl functionality is a great way to provide vmware encryption high availability to the key management server infrastructure. With KeyControl, the process to configure VMware vSphere encryption Key Management Server cluster is quite straightforward and can be accomplished in just a few minutes.  Fill out the form here to obtain a copy of the HyTrust KeyControl server appliance.