In vSphere 6.7 VMware has added a new device called virtual TPM 2.0. Before you can use and add this device to virtual machines vSphere VM Encryption needs to be in place. Starting with vSphere 6.5, you can take advantage of Virtual Machine encryption. Encryption protects not only your virtual machine but also virtual machine files, virtual disk files, and core dump files.

Encrypting workloads helps organizations to ensure their data is protected, even if the data falls into the wrong hands. One of the challenges of workload encryption is to scale the management of tens of thousands of encryption keys, for workloads that may even be hosted on different platforms.

For enabling vSphere VM encryption and managing lots of encryption keys vSphere wants a Key Management Server (KMS) to be added to the environment. In this blog post I will explain and setup a HyTrust KeyControl 5.1 server, which embodies a KMS server, and connect that with a VMware vSphere 6.7U3 environment. You set up a trusted connection between vCenter Server and a Key Management Server (KMS).

Step 1 – Download OVA Package

From the HyTrust website download the OVA package (60-Day Trial) available here. A zip file with multiple files will be downloaded. 

Note: make sure you know the IP address and any other required network connection information, such as the domain name and the DNS and gateway IP addresses for the machine which you are going to deploy as KMS server.

Step 2 – Deploying the OVA Package

Log in to your vSphere Web Client. Navigate to Hosts and Clusters. Select the Datacenter where you would like to deploy the KMS server and select Actions and Deploy OVF/OVA Template.

Browse to the location of your OVA file. 

Select a name for the KMS server and folder where to place the new VM. Now select a Compute Resource, in my case I select the esx02.vlab.local.

As soon as you press Next on step 3 of the deploy wizard it will load the OVF and switches from an original 6 steps deployment to a 10 step deployment after reading the OVF content. Review the details about the appliance (OVA) you are about to deploy. 

Read and Accept the license agreement and continue to Configuring the appliance. I chose Demo so it deployed the VM with 2 vCPUs and 4 GB memory in use. Other two options are Large (4 vCPUs and 16GB) and Recommended (2 vCPUs and 8 GB). 

Now choose the right Storage to store the machine and correct Network to connect with. On the Customize template step you will insert all network and name values needed for the appliance to start working. 

Review all settings on the Ready to complete step and press the Finish button. It will start two tasks in vCenter named Deploy and Import OVF. Wait till they finish successfully, before moving to the next step. 

Step 3 – Configuring the newly deployed KMS appliance

Power on the newly deployed KMS server. It will ask you to specify a password for the htadmin account. Enter a new password for htadmin and press OK.

Next we select option 1 because this is the Initial KeyControl Node in the new to build KMS cluster. 


The system will be setup now. After setup completes the system is started. Wait till the system is fully started and press OK. The KeyControl server will display a CentOS login screen. 

To initialize the KeyControl webGUI and finish the configuration of the first node go to: https://<kms-ip-address> and login with secroot for both username and password. Accept the EULA and change the password for secroot! Make other basic configuration settings you need/want.

Now that we are logged on we have to Enable the KMIP Service. The Key Management Interoperability Protocol can manage the encryption keys for virtual machines in the cluster that have been encrypted with the vCenter Server for vSphere Virtual Machine Encryption and/or VMware VSAN Encryption. The KMS server is also used to enable the virtual TPM 2.0 hardware for VMs which can be leveraged by hardening VMs by Enabling Windows Virtualization Based Security. (More about that topic in a next blogpost).

Select KMIP in the top banner bar. Go to State and put it on Enabled. Then open Protocol and select Version 1.1 from the drop-down list.  As a final go to Restrict TLS and select Enabled to make sure traffic is on the TLS 1.2 protocol. Click the Apply button now to apply the new settings.

When asked to overwrite all existing KMIP Server settings answer with Proceed. Switch to the Alerts tab to see if the KMIP Server successfully started. Everything started correctly? Great! 

Step 4 – Adding HyTrust KMS Server to vCenter

Log into the vSphere Web Client and select the (1) Host & Clusters, then select the right (2) vCenter Server instance at the top. Click (3) Configure in the right pane and browse to (4) Key Management Servers in the middle pane. Click (5) ADD. 

Fill out the New cluster name , Server name, Server (IP) address or FQDN and most important the Server port 5696 then press ADD.

On the Make vCenter Trust KMS press the TRUST button. The KMS cluster is now setup but there is no trust relation between vCenter and the KMS server yet! 

Step 5 – Connecting the HyTrust KMS server with the VMware vCenter server

Go to the vCenter Web Client and open vCenter > Configure > Key Management Server. Select the KMS Server and use the small arrow after the selection bullet to expand the window. Find the MAKE KMS TRUST VCENTER button and click on it.

Select option New Certificate Signing Request (CSR) then press Next.

Download the generated vCenter CSR file. The trust won’t be stablished after you finish this wizard, because the vCenter CSR should be uploaded to the KMS server and the KMS will sign the certificate which will be uploaded to the vCenter after. Press the DONE button.

Now we will switch to the HyTrust KMS server. In the HyTrust KeyControl interface go to KMIP Tab and then select Action. Use the drop down list and select Create Certificate.

On the Certificate Name give it a name that is recognisable to you. I named it VCSA. On the Certificate Expiration select how long the certificate will be valid. Press the Load File button and select the CSR file created by the vCenter server. In my case KMS_signed_csr.pem. Press the Create button to create a new certificate.  

Select the new line VCSA and press Actions and Download the certificate. A file called VCSA_<number>.zip will download. Unpack the zip file. There will be 2 files in there. Use the VCSA.pem for the vCenter trust link.

In vCenter click the Upload Signed Certificate link and select the VCSA.pem file from the HyTrust KMS server. And press UPLOAD.

Now the connection is successfully established! 


We have now added a KMS server to the vSphere environment which gives us some extra security possibilities in the vSphere environment. Like Encryption of VMs, Enabling Windows Virtualization Based Security and a virtual TPM 2.0 hardware chip but more about these possibilities in upcoming blog posts! So stay tuned.