Configuring vSAN encryption using CipherTrust Manager

To encrypt data at rest using vSAN encryption, one option is to switch your active key management service (KMS) to an external one. Thales CipherTrust Manager is an external KMS solution that's KMIP 1.1 compliant and certified by VMware for vSAN.

For information about the default vSAN encryption behavior of Google Cloud VMware Engine, see About vSAN encryption.

Before you begin

To use the command-line examples in the CipherTrust Manager guide, you must install or update to the latest version of the Google Cloud CLI.

The Thales CipherTrust Manager documentation provides additional information about prerequisites for this integration.

Setup overview

Setting up VMware Engine with CipherTrust Manager involves the following major steps:

1. Access and install a CipherTrust Manager image on a Compute Engine VM.
2. In CipherTrust Manager, configure network details and assign users to a key management domain.
3. Create a registration token and registered client to use when configuring the key management interoperability protocol (KMIP) connection to vCenter Server.
4. Register the KMIP client in Thales CipherTrust Manager using a private key and certificate.
5. In vCenter Server, declare CipherTrust Manager as a standard key provider.

For a full description of the steps required for this integration, see the Thales CipherTrust Manager documentation for Google Cloud VMware Engine.