HyTrust KeyControl
Enabled encryption users to easily manage their encryption keys at scale. HyTrust
is the only KMS vendor that VMware invested in. It is available as an OVA, for fast installation and configuration in VMware vCenter. In this post I show you how to easily install and configure this KMS service in a vSphere
environment.
Step 1 – Deploying the OVA Package
Browse to the location where the OVA file located.
Type the name for the new VM.
Select where to run the new VM.
Review the hardware requirement.
Accept the license agreement
Select the VM configuration. In my case because is a lab set up the demo configuration is selected.
Note: Not recommended for production environment
Select the Storage and Network where the new VM will be running.
Specify the VM Network parameters.
Step 2 – Configuring the newly deployed KMS appliance
Power on the newly deployed VM server. It will ask you to specify a password for the htadmin
account. Enter a new password for htadmin
and press OK
.
Wait for the configuration process to complete
Go to the KMS management console by acceding https://kms-ip-address
then provide the default credentials.
Complete the configuration wizard by selecting the instance type and specify a new password.
Optional - Configure Email notification.
Download and save the Admin Key to a secure location.
Note: This key is primarily used for recovery purpose
Step 3 – Enable the KMIP Service
The Key Management Interoperability Protocol (KMIP)
enables communication between key management systems and cryptographically-enabled applications, including email, databases, and storage devices. Select KMIP
in the top banner bar. Go to State and put it on Enabled
. Then open Protocol and select Version 1.1
from the drop-down list. As a final step go to Restrict TLS
and select Enabled
to make sure traffic is on the TLS 1.2 protocol. Click the Apply
button now to apply the new settings.
Summary
We have now added and configure the KMS server which gives us some extra security possibilities for our infrastructure or cryptographically-enabled applications.