VMware vSphere

Hello,

I want to the the new VM Encryption. To be able to activate it, I will have to specify a "Key Management Server" in the vCenter Configuration.

I don't have a KMS at the moment and looking for a tiny KMS to test.

Is there any compatible (maybe freeware) tool available which can be installed quickly (maybe in Windows 10)?

Which KMS would work?

HyTrust has a free license for their KeyControl product. Check the blog post here.

Thanks, but where can I download HyTrust KeyControl?

Any other Key Server which runs under Windows is not available for free maybe Not necessary to be an officially supported one in my test environment.

If you follow the link in the article to the product page, it'll take you to a request form you have to complete. There are no KMS for Windows that I know of. KeyControl comes as an OVA that is small and lightweight and easy to deploy.

I would need the KMS in an operating system, which I can fully encrypt by VeraCrypt (or something comparable).

Why is that?

I want to run the KSM in a VM on my ESXi and fully encrypt it (boot password by VeraCrypt needed, everytime the VM starts).

So if someone comes and steals my server he can't access any of the encrypted VMs, cause the KMS can't be booted.

Or is there a solution like this also possible using HyTrust KMS?

KMS systems are management functionality, so those should run in a dedicated management cluster. But if you're worried about physical theft, then you probably should be using TPM/TXT in your host.

If my server is physical stolen, then I think it would be stolen including the TPM/TXT chip on the mainboard. So that won't help me, to protect?

Or how do you think?

One of the features of TPM/TXT is trusted geolocation. Several vendors support this already.

That could be interesting, but does not help me.

I am looking for an other solution. Maybe some othere ideas?

KMS servers are by design secure. HyTrust for example has a secured OS and disk data and would be virtually impossible to hack into and obtain key information from. They are FIPS 140-2 compliant out of the box, meaning they are good enough for Federal deployments, without any additional encryption applied on top. I think this should be a perfectly secure option for you to deploy! :-)

HyTrust has both an OVA that you can import into vCenter and an ISO image that you can mount as an ISO for loading onto Windows if you'd prefer. Most chose to import the lightweight OVA and you can have encryption enabled for both vSphere 6.5 and vSAN 6.6 enabled in about 20 minutes time.

Dear friend,

i contacted Hytrusts to get a free or trial license but they did not response to my request and there is nowhere where i can download ISO file or OVA from the internet, can you please help me with download link for ISO file or OVA template. i need it for my lab testing.

Looking forward to hearing from you.

thanks in advance

kinds regards

Ad buurman

Hi Ad,

Go here. The link you went to was probably off our main HyTrust portal that goes to a webform to fill out. That webform then goes to our ISR team that looks at it. Instead, go here: https://hytrust.com/keycontrol. This will allow you to register, which generates an email to you with a link you can click on to download the software. Sorry about the confusion. I'm working with our internal folks to have a better process of the main portal.

Hope this helps and feel free to reach out to me on the vExpert Slack channel if you have any questions.

-Vic Camacho

@Virtual_Vic

Yes it's working, thank you very much for the time and support

Kinds regards

Ad

Ah yes, I understand your point about stealing the server now. You are saying that if they steal the physical box on which the KMS is deployed, they should be able to start any encrypted VMs that are also hosted on that box.

That is not true. With VM encryption, vCenter is required to push the keys to the ESXi hosts in order to unlock and encrypted VMs. As long as your vCenter and KMS are not hosted on the same ESXi, you do not have a complete supply chain to get keys to the hosts. Without the keys, the VMs will remain encrypted. You will not be able to forcibly retrieve the keys from the KMS server either.

So, you could just simply enforce an Anti-affinity rule that keeps your vCenter and KMS on physically separate at all time.