@PSUStevens headshot

@PSUStevens blog

You are reading the blog of @PSUStevens.
You can reach me through one of the social accounts below.

Add a HyTrust KMS to vCenter v7 as a Key Provider

In vCenter 7 VMware moved away from the term KMS (Key Management Server) to Key Provider. This post will explain how to add HyTrust KeyControl as a Key Provider in vCenter 7.


4 minutes read

vCenter Key Provider (KMS)


In my How to Deploy a HyTrust KeyControl 2-node Cluster post I walked through the steps for deploying and configuring a 2-node HyTrust KeyControl cluster. Now that you have it deployed, let’s start using it. But before we can do that, we need to add it vCenter as a Key Provider. Let’s go!!

Before Starting

Before starting, I want to clear up some terminology. If you are familiar with using encryption in vCenter 6.5 or 6.7, you may remember VMware used the term KMS Cluster when referring to a Key Management Server. But, for some reason, which I haven’t been able to track down, they now use the term Key Provider. I think it has something to do with the new VMware vSphere Trust Authority, but this is a guess. If someone at VMware can explain the reason, I’d love to know why.

Login to the HyTrust KeyControl Cluster

  1. Log in to one of the KeyControl nodes. After logging in, click on the big KMIP icon in the top menu bar of the WebUI.
KMIP icon

KMIP icon

KMIP Server Settings

This is the screen where you will enable and make changes to the KMIP server settings.

  1. Change the State field from Disabled to Enabled.

  2. You will also need to change the version of the KMIP Protocol the server speaks in the Protocol field. Change the version from the default of 1.0 to 1.1

VMware supports KMIP version 1.1 for Key Providers.

KMIP Server settings screen

KMIP Server settings screen

Create a Client Certificate

The communication between HyTrust KeyControl and vCenter is done via certificates. So, the next step in the process is to create a client certificate for this purpose.

  1. Next to the blue Actions button, you will see the text, Client Certificates. Click this text, then click the blue Actions button and select Create Certificate.
Create Certificate

Create Certificate

  1. Enter a name for the certificate in the Certificate Name field. You can adjust the expiration date. But, do NOT add a certificate password—finally, click Create.
Create New Client Certificate screen

Create New Client Certificate screen

  1. You will see the new certificate in the WebUI. Click the certificate, then click the blue Action button and select Download Certificate. This will result in a zip file being downloaded to your system. Unzip the contents of the file. You will need the unzipped contents later.
Download Certificate

Download Certificate

Add a Key Provider

Log in to vCenter. Then perform the following steps.

  1. Click on the name of your vCenter

  2. Click Configure

  3. Click Key Providers in the Security section

  4. Click Add Standard Key Provider

Add Standard Key Provider

Add Standard Key Provider

  1. Enter a name for the Key Provider. This is just a reference name. It doesn’t need to match any name you use in HyTrust KeyControl.

  2. Enter a name for the KMS Server and the IP Address or FQDN of the first KeyControl node. I normally match the name of the KMS Server to the hostname of the node I’m adding. Click the Add KMS button and add the second KeyControl node.

  3. You can ignore the optional proxy and password sections. Click Add Key Provider when you are finished.

Standard Key Provider Details screen

Standard Key Provider Details screen

The certificate details for each node will be displayed.

  1. Click the Trust button.
KMS Node Certificate Details

KMS Node Certificate Details

The newly added Key Provider will be displayed.

  1. Check the radio button next to the Key Provider. This will list the Key Management Servers at the bottom of the window.
Key Provider list and KMS Servers

Key Provider list and KMS Servers

Establish Trust

  1. Click one of the KMS servers, then click Establish Trust. Select Make KMS trust vCenter.
Make KMS trust vCenter

Make KMS trust vCenter

  1. Click KMS certificate and private key, then click Next.
Choose a Trust Method

Choose a Trust Method

This is the point in the process where the client certificate is needed.

  1. Click the KMS Certificate Upload a File button. Navigate to the location where you unzipped the contents of the client certificate zip file. You will see two .pem files. You can ignore the cacert.pem file. Select the second .pem file and click OK.

  2. Repeat these steps for the KMS Private Key, then click Establish Trust

Upload KMS Credentials

Upload KMS Credentials

  1. At this point, all of the yellowish triangles from a previous step should now be green circles with checkmarks in them.
Trusted KMS Servers

Trusted KMS Servers

If you want a bit more detail, expand one of the KMS Server entries.

KMS Server Trust Detailss

KMS Server Trust Details

Congratulations!! You are finished. You are ready to begin encrypting VMs or enabling encryption for vSAN.


Let’s summarize what was covered in this post:

  • You created a client certificate using the 2-node HyTrust KeyControl cluster from a previous post
  • You added a Key Provider, which includes the two KeyControl cluster nodes
  • You established a trust between the KeyControl Cluster using the client certificate

Thanks for reading this far. In the next blog post, I’ll walk through the steps for encrypting a VM. I hope this post has helped you?

Here are links to related posts:

If there is something you think I’m missing and feel should be added, please let me know.

Recent posts

See more



This is my personal blog about technical topics including virtualization, storage, networking, backups, and some random IT stuff that strikes my fancy.