Configuring vSAN encryption using Thales KMS

To encrypt data at rest using vSAN encryption, one option is to use the Next Generation KeySecure Image, a Thales Key Management Service (KMS).

Access and install the Next Generation KeySecure Image KMS

After you purchase the KMS, you receive an email message from Thales. Click Accept this invitation to access privileges to the k170v-image-read Google group.

To access a KeySecure image, you might need to copy the image to another account. To do this, create a Compute Engine image from a zipped disk image. To get permission to zipped disk images, contact your sales manager or support.

Create an image from a zipped KeySecure image

To create an image from the source URI gs://kylo-images/k170v-2411- 20181031022613.tar.gz, run the following command:

gcloud compute images create image-name --source-uri gs://kylo-images/k170v-2411-
20181031022613.tar.gz

You can list images using the following command:

gsutil ls gs://kylo-images
gs://kylo-images/k170v-2369-20181008172807.tar.gz
gs://kylo-images/k170v-2411-20181031022613.tar.gz

Create an instance from the KeySecure image

  1. In the Google Cloud Console, go to the Compute Engine Images page.

    Go to the Images page

  2. Select the k170v image.

  3. Select Create instance.

  4. Select New VM instance and configure the machine as follows:

    1. Use a Boot disk that is at least 30 GB for evaluation use or at least 135 GB for production use.
    2. Choose a machine type with 16 GB of memory and at least 2 vCPUs.
  5. Create an SSH key by using PuTTYgen key generator.

    1. Download and open PuTTYgen.
    2. Check SSH-2RSA.
    3. Click Generate.
    4. Save the private and public SSH keys in a secure location.
  6. On the Create an instance page under SSH Keys, paste the public SSH key that you just generated in the SSH key window.

  7. Click Create.

Configure the vSphere environment

  1. In vCenter, navigate to Configurations > More > Key management servers.
  2. Select the k170v image.
  3. Click Add.
  4. Create a new cluster. Clusters are used to ensure high availability of the key manager for various key management and encryption use cases. A Cluster can have multiple 170v nodes. Include a cluster name and a reachable 170v IP address, and use port 5696.
  5. Under Establish trust, click Make vCenter trust KMS.
  6. Click Trust.
  7. Generate a new certificate signing request (CSR) to help establish the connection between vCenter and k170v. Select New Certificate Signing Request (CSR) and click Next. You can either copy or download the CSR.

Configure the k170v appliance

  1. Log in to the KeySecure Management Console.
  2. In a browser, navigate to https://IP-address, where IP-address is your k170v server IP address.
  3. The default username and password are admin.
  4. You are prompted to change the password.
  5. Log in again with your new username and password.
  6. In vCenter, click Keys & access management.
  7. Click Registration tokens > New registration token.
  8. Click Begin.
  9. Define the token metadata. Set the values for Name Prefix, Token Lifetime, Certificate Duration, and Client Capacity.
  10. Click Next.
  11. The default Local CA is preselected. Click Create token.
  12. Copy the generated registration token and click Done.
  13. On the vCenter main menu, navigate to Admin settings > System > Interfaces.
  14. Configure a port for the k170v server to use to communicate with vCenter.
  15. KMIP uses the default port 5696. You can edit or create a new KMIP interface by clicking the vertical more menu and clicking Edit.
  16. Paste the registration token that you generated earlier.
  17. Click Update.
  18. Restart the KMIP system service. Navigate to the System > Services menu and click System restart.

Sign the vCenter certificate signing request (CSR)

  1. In vSphere, navigate to Keys & access management and click CA.
  2. Under Local certificate authorities click the Subject hyperlink.
  3. Select Upload and sign CSR.
  4. Paste the CSR copied from vSphere and click Issue certificate.
  5. Click the vertical more menu next to the certificate you signed and click Copy.
  6. Create a user on 170v with the name from the certificate that was generated by vCenter.
  7. In Keys & access management, click Users.
  8. Click Create new user. The username is derived from the signed CSR:

    /C=US/ST=California/O=VMware/OU=VMware Engineering/username=kmipClient2020060820330
    
  9. After the user is created, click User from the navigation menu.

  10. To add permissions, click the vertical more menu for the user you just created.

  11. Click Manage.

  12. Click Groups.

  13. Check Key users to add the user to the key users group.

Upload the signed CSR to vSphere

  1. In vSphere, click Upload signed certificate.
  2. Select the Privacy Enhanced Mail (.PEM) file for the certificate or copy and paste the CSR from the k170v appliance.
  3. Click Make vCenter trust KMS.
  4. Click Trust.
  5. To enable vSAN Encryption, log in to the vSphere client and navigate to VSAN > Service. Click Encryption and then click Edit to generate new encryption keys.
  6. In the vSAN services window, enable encryption. Choose the cluster that you created earlier and click Apply.
  7. In the Records tab, vCenter generates a token and key.

Create a 170v cluster and add it to vCenter

To support high availability, run two k170v servers in your cluster. After the 170v cluster has been configured, items configured earlier are replicated as part of the clustering process, For example, vSphere replicates configuration steps such as creating the registration token, defining the user, defining the KMIP port, the encryption keys and CSR.

  1. In vSphere, select Key management servers.
  2. Select the additional k170v node and click Add.
  3. Under Make vCenter trust KMS, click Trust.