Securing VMware Data: A HashiCorp Vault KMIP Story
In this blog post, we will demonstrate how to easily configure HashiCorp Vault Enterprise as a Key Management Server for securing and encrypting VMware Virtual Machines and vSAN Storage.
UPDATE: We’re happy to mention that we’re, now, certified as Key Management Server for VM and VSAN Encryption. VMware compatibility matrix
But first and foremost, let’s explain a little bit about the technologies involved in our story.
HashiCorp Vault Enterprise with KMIP
Vault is the HashiCorp solution that offers centralized management of secrets but also protects all sensitive data of companies. It can be deployed on multi-cloud and hybrid environments and supports many use cases as securing static secrets, automating certificate and encryption key management as well as managing dynamic secrets for databases and even more …
One recent enterprise feature that has been introduced since version 1.2 of HashiCorp Vault Enterprise is the support of OASIS Key Management Interoperability Protocol (KMIP) with the KMIP Secret Engine. This protocol is the most widely adopted standard for Key management and cryptographic operations.
VMware Encryption
VMware Encryption was introduced with version 6.5 of VMware vSphere and allows integration with different types of Key Management Servers for managing encryption keys.
The encryption flow is pretty simple and described as below :
- When a user creates or encrypts a VM or a Disk, vCenter will ask a key to the Default KMS cluster. This key will be used as Key Encryption Key (KEK).
- vCenter stores the Key ID and sends the key to the ESXi host or all ESXi Hosts if they’re all part of the same cluster.
- The ESXi host creates internal keys (DEK — Data Encryption Key) that are stored on disks and are protected by the KEK which is stored in memory.
- The ESXi host encrypts the Virtual machine with the internal keys.
VMware KMIP supports Encryption for Virtual Machines and / or Disks but also for VMware vSAN.
How to deploy and configure Vault Enterprise with KMIP?
It’s not the goal of this post to explain how to deploy Vault Enterprise for Production environment but you can still find our reference architecture here.
For the sake of simplicity, we are going to use Vault server launched in dev mode. That specific mode allows Vault to start with In-Memory storage, unsealed and specifies a root token that you can remember. :)
First step is to download the Vault Enterprise binary from our website.
NOTE: It’s an Enterprise Binary and will only work for 30 Minutes without license. After that period of time, Vault will seal itself. If you want to test for longer, contact us through our website.
Then, from your command line, just run :
$ vault server -dev -dev-root-token-id=root
Now, you have a working Vault environment where we can configure KMIP in a few steps. So let’s continue.
Log to Vault, enable and configure KMIP Secret Engine:
$ vault login root
$ vault secrets enable -path=kmip-demo kmip
$ vault write kmip-demo/config listen_addrs=0.0.0.0:5696 default_tls_client_key_type=rsa default_tls_client_key_bits=2048As seen above, Vault KMIP supports 2 types of encryption (EC and RSA) and EC is the default one. To make it work with VMware, at least for now, we have to configure the default key type for clients as RSA.
Create Scopes and roles:
Now, that we have enabled the secret engine and configured it, the next steps are to create a scope (like a bucket for KMIP Objects) and then configure at least one role with a specific set of operations allowed or denied.
In our case, we will configure 2 different scopes that will be used later.
$ vault write -f kmip-demo/scope/vmware-prod
$ vault write kmip-demo/scope/vmware-prod/role/admin operation_all=true
$ vault write -f kmip-demo/scope/vmware-dev
$ vault write kmip-demo/scope/vmware-dev/role/admin operation_all=trueGenerates Client Certificate
And finally, the last piece of configuration on the Vault side is to generate a client certificate that will be used by VMware vCenter to connect to the KMIP Vault endpoint.
The following command will return the CA chain, the certificate and the private key:
$ vault write -f kmip-demo/scope/vmware-prod/role/admin/credential/generate
Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIIBrDCCAVKgAwIBAgIUFSHj8GbZEyqRoCtDw/Hvz7gpQvcwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIwMDMyMDE0MjgwNloX
DTMwMDMxODE0MjgzNlowKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu
dGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMbWe9LQRqrGSnV6
WBBKaSBKGgjAdf36NF2TRIWMyQ+WSJuowmyKOzc9uESjf+C5zHXjNfuBfhjp26Lc
qFLi7NWjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBSHDUrsi5q+zdQyOmyRIDwj909ODTAfBgNVHSMEGDAWgBSxGkJEqCCzPVai
QPSHQKVA7ZN+TzAKBggqhkjOPQQDAgNIADBFAiAFo9QovqH1rB1uFq526g1OM4mQ
l2Aak0eD2pAImLZQPAIhAJ9ApsVFgY1QgFf0ZzEMkHkLmBEjrU8Tflr6kQ94fNN3
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBnzCCAUWgAwIBAgIUbaJRqx9DYhREqADPmIxxnC7qA+kwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIwMDMyMDE0MjgwNloX
DTMwMDMxODE0MjgzNlowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEP+BcNklA3dHHTJ7X2r4/slU2eBp67iPg
+vy4/cyn+ezjXWKDTwnGEj0EBQKdInK0r/PRtoeqB1iiDSkYED/CoqNjMGEwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLEaQkSoILM9
VqJA9IdApUDtk35PMB8GA1UdIwQYMBaAFLEaQkSoILM9VqJA9IdApUDtk35PMAoG
CCqGSM49BAMCA0gAMEUCIQDxO+CZIRrCfNIB6I0N+2RktCV3O4SbJVZ9QD3mfaK2
5AIgIQX1FBhS1B9dNaeLLAtAbN1Tv0QXAI6S1VDZeKdQrV0=
-----END CERTIFICATE-----]
certificate -----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAxSbBgwMSVNtcW7EVYnn0a33vLr/xPNx+795weYqPnFp+OpUV
wQVgAYUDWvKfEy4aB4bvNj607FsynwYIKVk3Nd5QsjK5POfPRW3D4cKrcsvH0S0k
S+7lt3MhaaT7RHnM/J2kJXsniec0+1Opeo+b2rbUBp5iMSHBZm8UKSRlAOKN2AFf
tJrn3CdxMMUvbMGmswNnTMkLlXSM7+Ds5+yvhO+C7EyyaJiDnSNQyw9ShC1u/QQo
j5B81XTg9zeVkKaDfBkqb9vyhnMxxyCw8eRKORWdBnl0BjWSxe7apdABlGT10nC6
Ae/KYdsQqyODtWAsVnfpiBNC2AesF45zJbSHewIDAQABAoIBADncT/rFUgH5hzeZ
1y7Zn/RUN3g++OvlwpNfcx8YnWFD5bwHuSS3ESAhC4ULo8gbRaRj45zF9o9PjKHD
QW3xMxTqNEC4Rkkrt1cnCdAeM/cy+2fWmcp3SI/4iBvbQastHA4frecaJ9Z/Nrt0
KE9CCnm8Iqn2ndbRk1Me0onoloQVdX8EosqQZE3lG+4m+mls+ZdgCwqlNEqQyQk8
rjD57yHoUKMdcOyRMnEEJlVc63A/3WOu0O77diLNDK+1e6vxDEJkXF6jc+FIMlmM
iopmn1BJCfoCs75h3PHiR7InWYBt4Bkte1VNqo5SBCXtCuGjUs019XIIqgcBO94P
lxxdBMECgYEA1LV+TVIJmrvhGNiq/MFka28T7xKoNcXEm23gCTGzlRjnSGVvaA1u
SuM42MDsPLeieoQ4GIpugaESR7/nR/yRmoGQ2W7dgdvCryWoJ/glP0khbZfXfyUz
PHC2/CL/IV+R/wIbrxJoj3HgnDw7+TD+G+4MJhDL1uy6oyjAf3edZasCgYEA7Uav
qXz1Wj7lIgYFsYGNle1EYWDbPUIA+oFDC/BAgIKPQyHsEFNPgIr6UPEmuKsXYLZ/
mmQbIArlaecvyD+2/mNg6M0/dvc/CT/D651w3W62GuUAKpUs4lrfNINOym88UTMf
c2gnlo/fzWxOd9I3QQjfk40Gk1jZoKxsMHrK9XECgYAGYK65yMTq88krAowV6gKF
yh3R5EBQ5G4hruixveDBjq6YmBoAB68P5cI1lYs/ws3HWKGJ8tSfZGH07scTfHot
JMdgDZfspdcvgzSIhkMvo5SyAYR/lnDz1flWlAIMUR5ChCCqXiXubx6p8JBnx1VH
JxsMJSLHfe+WpskmyUJZ4wKBgCDPE18WPj7aT4ii2Iqw5UkD496rK+WOiOAam5C9
Cc47P2ADAsdHHckibnZewgHq9nKTCZXpna6SkyJPq1W/KaiHSVEngE0M5xR6Urbz
sDWOJ3QUki9RLUGnWxHBzlVDiE2aChFFJ6Q0BLg876S11poRhgi7CVu6f20uKk+R
yxqhAoGAbUtKGcTYcTL1ZxV0lGd5fj6VZ1wEIkyhU7lFQMzdSRyZWX6hbxfoJdES
9vHCZ1bMybqkYZ8LBNyiEh21fsGAT7+codLGuEHbRfQiEmYSZkmIcp4RaBafUBOK
akYXaWwssZ8HwCfwYphch8qpFIzWr4Wc+/fwuLLL91JKUlgbQuo=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICfTCCAiSgAwIBAgIUaJx9nrbMjV4wYavAkUSO8sRrziMwCgYIKoZIzj0EAwIw
KjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0y
MDAzMjAxNDM4NDRaFw0yMDA0MDMxNDM5MTRaMCAxDjAMBgNVBAsTBW02eGM1MQ4w
DAYDVQQDEwVTVVQxZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMUm
wYMDElTbXFuxFWJ59Gt97y6/8Tzcfu/ecHmKj5xafjqVFcEFYAGFA1rynxMuGgeG
7zY+tOxbMp8GCClZNzXeULIyuTznz0Vtw+HCq3LLx9EtJEvu5bdzIWmk+0R5zPyd
pCV7J4nnNPtTqXqPm9q21AaeYjEhwWZvFCkkZQDijdgBX7Sa59wncTDFL2zBprMD
Z0zJC5V0jO/g7Ofsr4TvguxMsmiYg50jUMsPUoQtbv0EKI+QfNV04Pc3lZCmg3wZ
Km/b8oZzMccgsPHkSjkVnQZ5dAY1ksXu2qXQAZRk9dJwugHvymHbEKsjg7VgLFZ3
6YgTQtgHrBeOcyW0h3sCAwEAAaNnMGUwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQM
MAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSFZ4vnr2YmzZihk+N28CMr0GLQZzAfBgNV
HSMEGDAWgBSHDUrsi5q+zdQyOmyRIDwj909ODTAKBggqhkjOPQQDAgNHADBEAiAB
2hAU6uah6e/8BylMi/Y8acDs8y4oZcaDqtaYIyU7zQIgaWoU+N3GrZKgiHOAz+JM
KdtU9K6QqcTvancUEeWCxvU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBrDCCAVKgAwIBAgIUFSHj8GbZEyqRoCtDw/Hvz7gpQvcwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIwMDMyMDE0MjgwNloX
DTMwMDMxODE0MjgzNlowKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu
dGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMbWe9LQRqrGSnV6
WBBKaSBKGgjAdf36NF2TRIWMyQ+WSJuowmyKOzc9uESjf+C5zHXjNfuBfhjp26Lc
qFLi7NWjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBSHDUrsi5q+zdQyOmyRIDwj909ODTAfBgNVHSMEGDAWgBSxGkJEqCCzPVai
QPSHQKVA7ZN+TzAKBggqhkjOPQQDAgNIADBFAiAFo9QovqH1rB1uFq526g1OM4mQ
l2Aak0eD2pAImLZQPAIhAJ9ApsVFgY1QgFf0ZzEMkHkLmBEjrU8Tflr6kQ94fNN3
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBnzCCAUWgAwIBAgIUbaJRqx9DYhREqADPmIxxnC7qA+kwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIwMDMyMDE0MjgwNloX
DTMwMDMxODE0MjgzNlowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEP+BcNklA3dHHTJ7X2r4/slU2eBp67iPg
+vy4/cyn+ezjXWKDTwnGEj0EBQKdInK0r/PRtoeqB1iiDSkYED/CoqNjMGEwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLEaQkSoILM9
VqJA9IdApUDtk35PMB8GA1UdIwQYMBaAFLEaQkSoILM9VqJA9IdApUDtk35PMAoG
CCqGSM49BAMCA0gAMEUCIQDxO+CZIRrCfNIB6I0N+2RktCV3O4SbJVZ9QD3mfaK2
5AIgIQX1FBhS1B9dNaeLLAtAbN1Tv0QXAI6S1VDZeKdQrV0=
-----END CERTIFICATE-----
private_key -----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAxSbBgwMSVNtcW7EVYnn0a33vLr/xPNx+795weYqPnFp+OpUV
wQVgAYUDWvKfEy4aB4bvNj607FsynwYIKVk3Nd5QsjK5POfPRW3D4cKrcsvH0S0k
S+7lt3MhaaT7RHnM/J2kJXsniec0+1Opeo+b2rbUBp5iMSHBZm8UKSRlAOKN2AFf
tJrn3CdxMMUvbMGmswNnTMkLlXSM7+Ds5+yvhO+C7EyyaJiDnSNQyw9ShC1u/QQo
j5B81XTg9zeVkKaDfBkqb9vyhnMxxyCw8eRKORWdBnl0BjWSxe7apdABlGT10nC6
Ae/KYdsQqyODtWAsVnfpiBNC2AesF45zJbSHewIDAQABAoIBADncT/rFUgH5hzeZ
1y7Zn/RUN3g++OvlwpNfcx8YnWFD5bwHuSS3ESAhC4ULo8gbRaRj45zF9o9PjKHD
QW3xMxTqNEC4Rkkrt1cnCdAeM/cy+2fWmcp3SI/4iBvbQastHA4frecaJ9Z/Nrt0
KE9CCnm8Iqn2ndbRk1Me0onoloQVdX8EosqQZE3lG+4m+mls+ZdgCwqlNEqQyQk8
rjD57yHoUKMdcOyRMnEEJlVc63A/3WOu0O77diLNDK+1e6vxDEJkXF6jc+FIMlmM
iopmn1BJCfoCs75h3PHiR7InWYBt4Bkte1VNqo5SBCXtCuGjUs019XIIqgcBO94P
lxxdBMECgYEA1LV+TVIJmrvhGNiq/MFka28T7xKoNcXEm23gCTGzlRjnSGVvaA1u
SuM42MDsPLeieoQ4GIpugaESR7/nR/yRmoGQ2W7dgdvCryWoJ/glP0khbZfXfyUz
PHC2/CL/IV+R/wIbrxJoj3HgnDw7+TD+G+4MJhDL1uy6oyjAf3edZasCgYEA7Uav
qXz1Wj7lIgYFsYGNle1EYWDbPUIA+oFDC/BAgIKPQyHsEFNPgIr6UPEmuKsXYLZ/
mmQbIArlaecvyD+2/mNg6M0/dvc/CT/D651w3W62GuUAKpUs4lrfNINOym88UTMf
c2gnlo/fzWxOd9I3QQjfk40Gk1jZoKxsMHrK9XECgYAGYK65yMTq88krAowV6gKF
yh3R5EBQ5G4hruixveDBjq6YmBoAB68P5cI1lYs/ws3HWKGJ8tSfZGH07scTfHot
JMdgDZfspdcvgzSIhkMvo5SyAYR/lnDz1flWlAIMUR5ChCCqXiXubx6p8JBnx1VH
JxsMJSLHfe+WpskmyUJZ4wKBgCDPE18WPj7aT4ii2Iqw5UkD496rK+WOiOAam5C9
Cc47P2ADAsdHHckibnZewgHq9nKTCZXpna6SkyJPq1W/KaiHSVEngE0M5xR6Urbz
sDWOJ3QUki9RLUGnWxHBzlVDiE2aChFFJ6Q0BLg876S11poRhgi7CVu6f20uKk+R
yxqhAoGAbUtKGcTYcTL1ZxV0lGd5fj6VZ1wEIkyhU7lFQMzdSRyZWX6hbxfoJdES
9vHCZ1bMybqkYZ8LBNyiEh21fsGAT7+codLGuEHbRfQiEmYSZkmIcp4RaBafUBOK
akYXaWwssZ8HwCfwYphch8qpFIzWr4Wc+/fwuLLL91JKUlgbQuo=
-----END RSA PRIVATE KEY-----
serial_number 597224899459987122343605132826077792307591761443
$ vault write -f kmip-demo/scope/vmware-dev/role/admin/credential/generateKeep in mind that you’ll need the credential to configure VMware vCenter, so, store the information somewhere, at least the private_key (why not in Vault itself in the K/V) since you can’t retrieve it.
In case you just backed up the private_key, you can still retrieve CA Chain and Certificate with this command:
$ vault list kmip-demo/scope/vmware-prod/role/admin/credential
Key
---597224899459987122343605132826077792307591761443
$vault read kmip-demo/scope/vmware-prod/role/admin/credential/lookup serial_number=597224899459987122343605132826077792307591761443
Well done, you’re all set on the Vault side and now, we can move on to VMware vCenter configuration.
How to configure the KMS in VMware vCenter?
As I really like the command line, we are going to configure our Vault KMS on VMware vCenter via VMware PowerCLI.
To do so, you have to follow the steps below:
- Install Powershell (On your OS of choice, in my case Mac OSX)
- Install PowerCLI
- Install the VMware.VMEncryption Module
- Test your newly installed module
$ brew cask install powershell
$ pwsh
$ Install-Module -Name VMware.PowerCLI -Scope CurrentUser
$ git clone https://github.com/vmware/PowerCLI-Example-Scripts
$ Import-Module -Name ./PowerCLI-Example-Scripts/Modules/VMware.VMEncryption/
$ Get-Command -Module VMware.VMEncryptionNow, we are ready to start the configuration of our Vault KMIP Cluster.
$ Connect-VIServer -Server 192.168.1.88 -User administrator@vsphere.local
$ Add-KeyManagementServer -Name vault-01 -kmsCluster "vault kmip demo" -Address 192.168.1.18 -Port 5696 -TrustKeyManagementServer $true
Name Address Port KmsCluster Status
---- ------- ---- ---------- ------
Vault-01 192.168.1.18 5696 vault kmip demo RedTIPS: If you have a certificate issue (that was my case), just type this command:
$ Set-PowerCLIConfiguration-InvalidCertificateActionIgnore -Confirm:$false
As you can see, the status of the new KMS is Red as we still have to configure the client certificate on the vCenter to be able to authenticate to Vault KMIP server.
Before doing that, in order to finalize the trusted connection between vCenter and KMS, we have to upload the Root CA manually from the vCenter GUI.
TIPS: Must be done for every Vault KMS clusters that are configured
To retrieve the CA, just type this command:
$ vault read kmip-demo/ca
Key Value
--- -----
ca_pem -----BEGIN CERTIFICATE-----
MIIBrTCCAVKgAwIBAgIUBDCUNQtTG7KNhiEImld/3qJgM4kwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIwMDcxNjA5NTgyM1oX
DTMwMDcxNDA5NTg1M1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu
dGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGNg514Ekwlc2QR4
XYdMUcGOUTDLEd69wB9K81wc1yHHW9ZF1hrslUTzsa6hoLucGFLlcgbZMk8VzxNF
IZITSC6jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBSAwrUJFLg7MAOV1rjHYasou3ICsTAfBgNVHSMEGDAWgBR2YzXikr+IM60G
jP1POluZGsrKITAKBggqhkjOPQQDAgNJADBGAiEAzRJDF5ZktA6VY8/eTdwlboKV
fz7YR/0eVV/DUNpI3L0CIQDgiwIkuRCKnqkLDtifq2W2MYfPY7EaJ/OXJuByl8bl
MQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBnzCCAUWgAwIBAgIUXrXxbO2+FGtl7ST73cl3E6ebmkswCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTIwMDcxNjA5NTgyM1oX
DTMwMDcxNDA5NTg1M1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt2T0Iki1PTP1+G8wIzny18XM+z1F5Ci4
2wyouRfZTK8ewP5gFVuTxCQ7ngbNxOCK5+Dx6X+VGKW2/qWFx0/oRaNjMGEwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHZjNeKSv4gz
rQaM/U86W5kaysohMB8GA1UdIwQYMBaAFHZjNeKSv4gzrQaM/U86W5kaysohMAoG
CCqGSM49BAMCA0gAMEUCIQDwLbs0TH6/50Hi+t1phtgvJAfGikEM06Yh58GVwNIt
BwIgDERnlnMjxDpl4NIhEwWaGUJcs/VzxXLmZMDQM5DjcoE=
-----END CERTIFICATE-----Then, go to your vCenter GUI, select your Vault KMS, click “Actions” and select “Upload KMS Certificate” as detailed below:
Paste the CA certificate and click “Upload”
Now, the trusted connection is fully established and you can move on.
Finally, we have to configure the KMS Cluster with the correct certificate and private key generated previously on the Vault server configuration steps and set as default for vCenter.
$ set-kmscluster -KmsCluster "vault kmip demo" -KmsProvidedClientCertificateFilePath ./cred_vmw_prod_cert.pem -KmsProvidedPrivateKeyFilePath ./cred_vmw_prod_privKey.key -UseAsDefaultKeyProvider
Name UseAsDefaultKeyProvider ClientCertificateExpiryDate
---- ----------------------- --------------------------
vault kmip demo True 03/04/2020 14:39:14What does it look like on VMware vSphere Web Client ?
Ok, we are all set but let’s check the status of our ESXi host to ensure if Encryption is enabled or not.
Because we didn’t create an Encrypted VM or change configuration on the ESXi host, it’s “disabled” by default.
Go to VMhost>Configure>Security Profile>Host Encryption Mode and click “Edit”, then select “Enabled” and “OK”.
Check on the events to see that a key is now configured on the host.
At this point, we are all set on HashiCorp Vault and VMware vCenter server to use encryption on the VM and/or specific disks. But that’s not enough because, probably, you want to use different keys from different KMIP Scopes for different VMs.
And that’s what we are going to do by adding another KMS Cluster which is exactly the same Vault Cluster but we’ll use the “dev” client certificate that we have generated ealier. This “dev” client certificate is generated from the role “admin” which is hosted on the “dev” scope.
$ Add-KeyManagementServer -Name vault-01-dev -kmsCluster "vault kmip demo - dev" -Address 192.168.1.18 -Port 5696 -TrustKeyManagementServer $true
$ set-kmscluster -KmsCluster "vault kmip demo - dev" -KmsProvidedClientCertificateFilePath ./cred_vmw_dev_certificate.pem -KmsProvidedPrivateKeyFilePath ./cred_vmw_dev_privKey.keyWe now have two different KMS Cluster defined with “vault kmip demo” configured as “default” for any requests.
For testing and demonstration purposes, I’ve created two VMs on my infrastructure.
$ Get-VM
Name PowerState Num CPUs MemoryGB
---- ---------- -------- --------
CRYPTOVM02 PoweredOff 1 1,000
CRYPTOVM01 PoweredOff 1 1,000And also two different VM Storage policies (even if it’s not mandatory).
$ Get-SpbmStoragePolicy
Name Description Rule Sets Common Rules
---- ----------- --------- ------------
VM_Encryption_Dev {} {}
VVol No Requirement… Allow…
VM Encryption Policy Sample st… {} {}
Host-local PMem Def… Storage po… {} {PMem.PMemT…
vSAN Default Storag… Storage… {(VSAN.h… {}
VM_Encryption_Prod {} {}As another step, we use the command “Enable-VMEncryption” to set up each VM with its own KMS.
$ $encryption_policy=$(Get-SpbmStoragePolicy -name VM_Encryption_Prod)
$ Get-VM -Name CRYPTOVM01 | Enable-VMEncryption -KMSClusterID "vault kmip demo" -Policy $encryption_policy
$ encryption_policy=$(Get-SpbmStoragePolicy -name VM_Encryption_Dev)
$ Get-VM -Name CRYPTOVM02 | Enable-VMEncryption -KMSClusterID "vault kmip demo - dev" -Policy $encryption_policy
$ Get-VM |Select Name,KMSserverName KMSserver
---- ---------
CRYPTOVM02 vault kmip demo - dev
CRYPTOVM01 vault kmip demo
And Voila, you have two different Virtual machines using two different set of keys which is very useful when you do multitenancy or also for compliance purposes.
Conclusion
HashiCorp Vault Enterprise with KMIP Secret Engine is the perfect solution for protecting your Data in virtual environments. The ease of deployment and configuration of Vault added to other enterprise features like “Performance Replication”, “Disaster Recovery” and “HSM Integration” provide to our customers the maximum level of Service and Security without compromise.
