Enable and configure vSphere Trust Authority:

Introducing vSphere 7: Features & Technology for the Hybrid Cloud - VMware  vSphere Blog

  1. Preconfigure the Environment
  2. Export the TPM Certificate and ESXi Image Metadata
  3. Export the Trusted User Principal
  4. Enable vSphere Trust Authority Services
  5. Import the Trusted Host Information to the Trust Authority Cluster
  6. Create a Trusted Key Provider on the Trust Authority Cluster
  7. Export the Trust Authority Cluster Settings
  8. Import the Trust Authority Cluster Settings into the Trusted Hosts Cluster
  9. Configure the Trusted Key Provider for the Trusted Hosts Cluste

When using PowerCLI in upcoming tasks, we will be:

  1. Connecting to the resource (Ensure that we use the correct user account to connect.)
  2. Performing configuration through the command line
  3. Disconnecting from the resource

open the PowerCLI window environment.

In PowerCLI, connect to the sa-esxi-08.vclass.local host that is to be attested, by using the root credentials.

Connect-VIServer -server sa-esxi-08.vclass.local -User root -Password VMware1!

Assign the ESXi host to a variable.

$vmhost = Get-VMHost

Inspect the TPM endorsement key of the ESXi host.

Get-Tpm2EndorsementKey -VMHost $vmhost

Assign the TPM endorsement key to a variable.

$tpm2 = Get-Tpm2EndorsementKey -VMHost $vmhost

Using the TPM endorsement key, export the TPM device CA certificate to the C:\vta\ directory on the student desktop.

Export-Tpm2CACertificate -Tpm2EndorsementKey $tpm2 -FilePath C:\vta\cacert.zip

Export the ESXi image metadata from the ESXi host.

Export-VMHostImageDb -VMHost $vmhost -FilePath C:\vta\image.tgz

Disconnect existing PowerCLI sessions.

Disconnect-VIServer -server * -Confirm:$false

Export the Trusted User Principal

export the trusted user principal from the vCenter Server system that manages the trusted (attested) cluster.

  • In PowerCLI, connect to the vCenter Server system that manages the trusted (attested) cluster by using the Trust Authority Administrator credentials. Connect-VIServer -server sa-vcsa-01.vclass.local -User trustedadmin@vsphere.local -Password VMware1!
  • Export the trusted user principal to the C:\vta\ directory on the student desktop. Export-TrustedPrincipal -FilePath C:\vta\principal.json
  • Disconnect existing PowerCLI sessions. Disconnect-VIServer -server * -Confirm:$false

Enable vSphere Trust Authority Services

enable vSphere Trust Authority services on the vSphere Trust Authority cluster.

  1. In PowerCLI, connect to sb-vcsa-01.vclass.local by using the Trusted Administrator credentials.Connect-VIServer -server sb-vcsa-01.vclass.local -User trustedadmin@vsphere.local -Password VMware1!
  1. Get the current Trusted Services state of the Trust Authority cluster. Get-TrustAuthorityCluster "SB-VTA-Cluster-01"
  1. NOTE: The cluster reports the Trusted Services state as disabled.
  2. Assign the current Trusted Services state of the Trust Authority cluster to a variable. $TAcluster = Get-TrustAuthorityCluster "SB-VTA-Cluster-01"
  3. Enable Trusted Services on the Trust Authority cluster.Set-TrustAuthorityCluster -TrustAuthorityCluster $TAcluster -State Enabled
    1. To confirm enabling SB-VTA-Cluster-01, enter Y
  1. .NOTE: The SB-VTA-Cluster-01 cluster is enabled as a vSphere Trust Authority services cluster. The services attestd and kmxd on the Trust Authority hosts have been started.
  2. Verify that the cluster is set to Enabled. Get-TrustAuthorityCluster "SB-VTA-Cluster-01"
  1. When the cluster is enabled, the State column with show Enabled.
  2. Disconnect the existing PowerCLI sessions. Disconnect-VIServer -server * -Confirm:$false

Import the Trusted Host Information to the Trust Authority Cluster

import the trusted host information to the Trust Authority cluster.

In PowerCLI, connect to sb-vcsa-01.vclass.local by using the Trusted Administrator credentials.

Connect-VIServer -server sb-vcsa-01.vclass.local -User trustedadmin@vsphere.local -Password VMware1!

In PowerCLI, import the trusted user principal from the trusted cluster into the Trust Authority cluster.

New-TrustAuthorityPrincipal -TrustAuthorityCluster $TAcluster -FilePath C:\vta\principal.json

To verify that the previous import was successful, return the trusted user principal from the trusted cluster.

Get-TrustAuthorityPrincipal -TrustAuthorityCluster $TAcluster

Import the TPM CA certificate from the trusted cluster into the Trust Authority cluster.

New-TrustAuthorityTpm2CACertificate -Name tpmca -TrustAuthorityCluster $TAcluster -FilePath C:\vta\cacert.zip

NOTE:

This step dictates which TPM devices are trusted by the Trust Authority cluster.

Import the ESXi image metadata from the trusted cluster into the Trust Authority cluster.

New-TrustAuthorityVMHostBaseImage -TrustAuthorityCluster $TAcluster -FilePath C:\vta\image.tgz

NOTE:

This step dictates which versions of ESXi are trusted by the Trust Authority cluster.

Disconnect the existing PowerCLI sessions.

Disconnect-VIServer -server * -Confirm:$false

Create a Trusted Key Provider on the Trust Authority Cluster

create a trusted key provider on the Trust Authority cluster so that the Trust Authority cluster can request encryption keys from a key management server

In PowerCLI, connect to sb-vcsa-01.vclass.local by using the Trusted Administrator credentials.

Connect-VIServer -server sb-vcsa-01.vclass.local -User trustedadmin@vsphere.local -Password VMware1!

Add the key management server (KMS), called SB-KMS-01, as a Trust Authority key provider.

New-TrustAuthorityKeyProvider -TrustAuthorityCluster $TAcluster -MasterKeyId 1 -Name SB-KMS-01 -KmipServerAddress 172.20.110.193

NOTE:

The MasterKeyId is typically in the form of a longer UUID. In this artical, we use an internal PyKMIP KMS. This value differs depending on the KMS that is used. For more information, refer to the KMS vendor documentation.

Assign the key provider to a variable.

$kp = Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $TAcluster

Create the trusted key provider client certificate.

New-TrustAuthorityKeyProviderClientCertificate -KeyProvider $kp

Return the KMS certificate.

Get-TrustAuthorityKeyProviderServerCertificate -KeyProviderServer $kp.KeyProviderServers

Assign the KMS certificate to a variable.

$cert = Get-TrustAuthorityKeyProviderServerCertificate -KeyProviderServer $kp.KeyProviderServers

Add the KMS certificate to the trusted key provider in a trusted state.

Add-TrustAuthorityKeyProviderServerCertificate -ServerCertificate $cert

Disconnect the existing PowerCLI sessions.

Disconnect-VIServer -server * -Confirm:$false

Export the Trust Authority Cluster Settings

In PowerCLI, connect to sb-vcsa-01.vclass.local by using the Trusted Administrator credentials.

Connect-VIServer -server sb-vcsa-01.vclass.local -User trustedadmin@vsphere.local -Password VMware1!

Export the Trust Authority Cluster information to the C:\vta\ directory on the student desktop.

Export-TrustAuthorityServicesInfo -TrustAuthorityCluster $TAcluster -FilePath C:\vta\cluster_settings.json

NOTE:

This file contains information about the Trust Authority attestation services and key provider services.

Disconnect existing PowerCLI sessions.

Disconnect-VIServer -server * -Confirm:$false

Import the Trust Authority Cluster Settings into the Trusted Hosts Cluster

import the Trust Authority cluster settings into the trusted hosts cluster to establish a connection to the Trust Authority cluster.

Using PowerCLI, connect to the vCenter Server system that manages the trusted (attested) cluster.

Connect-VIServer -server sa-vcsa-01.vclass.local -User trustedadmin@vsphere.local -Password VMware1!

Assign the trusted (attested) cluster to a variable.

$TrustedCluster = Get-TrustedCluster "SA-Trusted-Cluster-01"

Import the Trust Authority cluster information.

Import-TrustAuthorityServicesInfo -FilePath C:\vta\cluster_settings.json

  1. At the confirmation prompt, press Enter to accept the default (Y).

Enable the trusted cluster.

Set-TrustedCluster -TrustedCluster $TrustedCluster -State Enabled

  1. At the confirmation prompt, press Enter to accept the default (Y).

Disconnect the existing PowerCLI sessions.

Disconnect-VIServer -server * -Confirm:$false

Configure the Trusted Key Provider for the Trusted Hosts Cluster

configure the trusted key provider for the trusted (attested) cluster so that encryption keys can be received from the Trust Authority cluster

Using the vSphere Client, connect to the vCenter Server sa-vcsa-01.vclass.local.

  1. Open a new tab in the Firefox web browser and navigate to https://sa-vcsa-01.vclass.local/ui.
  2. For the user name, enter trustedadmin@vsphere.local.
  3. For the password, enter VMware1!

Select Menu > Hosts and Clusters.

In the navigation pane, select sa-vcsa-01.vclass.local.

Click the Configure tab and select Security > Key Providers.

Click ADD TRUSTED KEY PROVIDERS.

The trusted key providers that are available are shown with a Connected status.

Select SB-KMS-01 and click ADD KEY PROVIDERS.

The trusted key provider shows as Trusted and Connected. Because this is the first trusted key provider that we added, it is marked as the default.

NOTE:

The trusted key provider becomes the default key provider for the entire vCenter Server system.

Encrypt a VM with a Trusted Key Provider

we encrypt a VM with a trusted key provider so that the VM can only run on trusted hosts that are attested by the vSphere Trust Authority cluster

Using the vSphere Client, connect to the vCenter Server instance sa-vcsa-01.vclass.local.

  1. Open a new Firefox tab and enter https://sa-vcsa-01.vclass.local/ui in the address bar.
  2. Enter user name trustedadmin@vsphere.local.
  3. Enter password VMware1!.

Select Menu > Host and Clusters to locate the VM Photon-ENC on the ESXi host sa-esxi-08.vclass.local.

  1. If the VM is powered on, shut it down by right-clicking the VM and selecting Power > Shut Down Guest OS.

Right-click Photon-ENC and select VM Policies > Edit VM Storage Policies.

From the VM storage policy drop-down menu, select VM Encryption Policy.

Click OK.

The VM is encrypted with the configured trusted key provider.
The VM summary displays a padlock icon with a green check mark to indicate that the VM is encrypted with a trusted key provider.

Power on the VM.

About the author

Mosab Shaker

I stand at the forefront of the fastest moving technology trends like Digital Transformation, computer virtualization ,networking and security. I spent the past tenth years evangelizing an industry-wide shift to the co location in the MENA by promoting virtualization and cloud services many Customers . With a unique mix of knowledge about different industries, businesses, and technologies

View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *