There are several third-party providers for KMIP-compatible KMS that VMware supports for its encryption function. However, these are commercial products that are poorly suited for evaluation. The open source solution PyKMIP, which is available as a Linux container, is recommended for this.
PyKMIP is a Python implementation of the Key Management Interoperability Protocol (KMIP), a communication standard from OASIS for the management of objects that are stored and managed by key management systems.
Create conditions for PyKMIP
PyKMIT alone can only be persuaded to work with vSphere with great effort and know-how. However, VMware experimented with PyKMIT in the beta phase of vSphere 6.5 and at the time provided a virtual KMIP server appliance based on PyKMIP. Unfortunately, this is no longer available today.
However, some time ago William Lam of the VMware Cloud on AWS team built a Docker image that can be used to test encryption quite well. The Docker container, which is only 163MB in size, is easy to start up and provides elementary services based on KMIP. The container image is available on Docker Hub at lamw / vmwkmip.
The nice thing about the Docker container is that the image can be executed directly on the vCenter Server Appliance (vCSA) in laboratory environments with limited resources or for demo purposes. As is well known, this is now based on Photon, which makes installing Docker quite easy.
The Docker container contains exactly the version of PyKMIP that will also be included in the future version of the virtual appliance. However, it is very important to note that this method cannot be used for production workloads or VMs because PyKMIP stores the encryption keys in RAM and they are lost when restarted.
Install Docker on the vCSA
If you want to experiment with the installation of Docker on the vCSA, you should first make a clone or at least a snapshot of your vCSA or better roll out a separate test appliance.
Once this is done, you first log on to the vCSA bash. You only have to do this in the menu on the appliance management UI (port 5480) access activate first.
Alternatively, you can also use after logging in root command at the console CLI shell enter. Then you install Docker
tdnf -y install docker
Then you load the kernel module specified in the following command to start the Docker client:
modprobe bridge --ignore-install
Shows whether the module was loaded correctly
lsmod | grep bridge
Docker is then started with
systemctl enable docker
systemctl start docker
Danger: With this method, loading the bridge module is not reboot-resistant, which is sufficient for our test, since PyKMIT only keeps the keys in RAM anyway. If you want to use Docker on the vCSA for other reasons, you can of course make the module persistent. Corresponding Linux HowTos can be found on the net.
Install the PyKMIP container
First we get the PyKMIP Docker image from Docker-Hub:
docker pull lamw / vmwkmip
Then we start the container with
docker run --rm -it -p 5696: 5696 lamw / vmwkmip
As the figure shows, the PyKMIP service was started successfully and configured to use the standard port 5696. If you don’t want to run the Docker container in interactive mode, you can also start it in daemon mode. That happens
docker run -d -p 5696: 5696 lamw / vmwkmip
The next step is to link the KMIP server to the vCenter server. To do this, log on to the vSphere Web Client, mark the logical vCenter Server object in the Navigator and then switch to Configure => Key management server.
Here are a name for the KMS cluster, the server name, the server address (this is the IP of the vCenter server in this case), the server port (this is the port published in the Docker container) and optional to provide an SSO username.
If the connection works, you have to make vCenter trustworthy for KMS by confirming the displayed certificate.
If everything is configured correctly and the vCenter server can communicate with the KMIP server, both the connection status and the certificate status are displayed in green.
If this is not the case, then there is probably a connection problem between the vCenter server and the Docker container. To do this, one has to make sure that no firewalls are blocking the connection from which the Docker container is executed.
From this point on you can start encrypting VMs as I described it in this post. For this purpose, one only has to apply the VM encryption guideline either to the entire VM (VM Home + VMDKs) or to individual VMDKs.