To encrypt data at rest using vSAN encryption, you must deploy an external Key Management Server (KMS). This page explains how to use an external KMS and encrypt virtual machine data at rest in Google Cloud VMware Engine.
Users are responsible for providing licenses for their external KMS.
Before you begin
- Verify that the selected KMS vendor, tool, and version are on the vSAN compatibility list provided in this document.
- Create a Google Cloud project or use an existing one.
- Create a new Virtual Private Cloud (VPC) or choose an existing VPC network.
- Connect your selected VPC to the VMware Engine service using Private service access.
All third-party KMS solutions that are compliant to KMIP 1.1 protocol standard and are certified by VMware for vSAN can operate with VMware Engine. The following vendors have validated their KMS solution with VMware Engine and published deployment guides and support statements:
The KMS supplies encryption keys to vCenter over an IP network. You can deploy the KMS solution in Compute Engine or in VMware Engine (on a different ESXi cluster). We do not recommend deploying KMS on-premises because any WAN outage can adversely impact functioning of the vSAN cluster.
You need sufficient permissions to deploy Compute Engine VM instances in a given Cloud project and VPC, connect your VPC to VMware Engine, and configure firewall rules for the VPC.
Deploy Key Management Server in Compute Engine
Some KMS solutions are available in an appliance form-factor in Google Cloud Marketplace. You can deploy such appliances by importing the OVA directly in your VPC or Google Cloud project.
For software-based KMS, deploy a Compute Engine VM instance using the configuration (vCPU count, vMem, and disks) recommended by the KMS vendor. Install the KMS software in the guest operating system. Create the Compute Engine VM instance in a VPC that is connected to VMware Engine using Private service access.
Establish trust between vCenter and KMS
After deploying the KMS in Compute Engine, configure your VMware Engine vCenter to retrieve encryption keys from the KMS.
First add KMS connection details to vCenter. Then, establish trust between vCenter and your KMS. To establish trust between vCenter and your KMS:
- Generate a certificate in vCenter.
- Sign it using a token or key generated by your KMS.
- Provide or upload that certificate to vCenter.
- Confirm the connectivity status by checking the KMS setting and status in the vCenter server configuration page.
Enable vSAN encryption
The default CloudOwner role has sufficient privileges to enable and manage vSAN encryption.
To enable vSAN encryption from the vSphere client, do the following:
- Navigate to an existing cluster.
- Click the Configure tab.
- Under vSAN, select Services
- Click the Encryption Edit button.
- In the vSAN Services dialog, enable Encryption.
- Select a KMS cluster.
- Complete your cluster configuration.
- Learn about vSAN KMS connection health checks.
- Learn about vSAN 6.7 encryption.
- Learn how to configure vSAN encryption using Fortanix KMS.
- Learn how to configure vSAN encryption using Thales KMS.
- Learn how to configure vSAN encryption using HyTrust KeyControl.