vSphere - vSphere Trust Authority (vTA)

#VCP with vTA you are able to create a hardware trust relationship with the ESXi host configuration to ensure there are no alterations from Malware etc. It will only hand out cryptographic keys to ESXi hosts that adhere to the compliance standard set by vTA. VTA creates a completely separate cluster with three hosts in which the key manager communicates with trusted hosts among the management hosts. Only a small group of people can access this cluster. This separate VTA Cluster runs management software only like vCenter or monitoring solutions and the Key Manager. In older versions like 6.5 and 6.7 vCenter needed to obtain the encryption keys from a key server through certificates stored in the VMware Endpoint Certificate Store(VECS). Access to the keys was granted through vCenter permissions, although this is secure through vTA this role is outsorced to the vTA Cluster. If the vCenter or an ESXi host is compromised through non trusted software it will not be able to gain access to the cryptographic keys. ![[_media/vSphere - vSphere Trust Authority (vTA|700]]2024-07-22.png) ![[_media/vSphere - vSphere Trust Authority (vTA|vSphere - vSphere Trust Authority (vTA|[vTA)2024-07-22-1.png]]2024-07-22-1.png]]2024-07-22-1.png) ## Concepts ### Attestation Service Attests the state of ESXi hosts of another Cluster. It uses TPM 2.0 to establish hardware level of trust while verifiying software compliance of the ESXi hosts. ### Key provider service exposes Trusted Key Providers/KMS that can be specified. limitied to KMIP. ### Trust Authority Host An ESXi host running vSphere Trust Authority components (Attestation and Key Provider services) ### Trusted Cluster Consists of a vCenter Server cluster of Trusted ESXi hosts that are remotely attested by the Trust Authority Cluster. ### Trusted infrastructure - Trust Authority vCenter Server - Workload vCenter Server - One or more vSphere Trust Authority Cluster, configured as part of the Trust Authority vCenter Server - Trusted Cluster/Workload Cluster configured on Workload vCenter Server. - Encrypted Workload VMs - KMIP compliant KMS ### Trusted Host ESXi host which is validated by the trusted Cluster through the Attesation service. This host can run workloads that can be encrypted using Key providers by the Trust Authority Cluster Key Provider Service ### vSphere Encryption for Virtual Machines Can create encrypted machines and encrypt existing virtual machines. Was introduced in vSphere 6.5 ### Trusted Key Provider Key provider that encapsulates a single encryption key on a key server. Acces to the key requires the ESXi software that is requesting it to be attested by the attestation service of the trusted cluster. ### Standard Key provider gets encryption keys directly from a key server and distributes them to the required hosts in a datacenter. ### Native Key Provider VMwares own integrated Key provider, see [[vSphere - Native key provider (NKP|vSphere - Native key provider (NKP|[NKP)]]]].md) ### Key Server a KMIP key management server that is associated with a key provider. ## Benefits - Hardware based trust directly on the vTA Cluster. - utilizing TPM 2.0 directly on the hardware. - Only the hosts of the vTA Cluster connect to the KMS - Security and vSphere administration is clearly separated. - vTA keeps it's own log trail, for compliance reason. ## Requirements - vSphere 7.0 or later - seperate Hardware Cluster only for vTA - TPM 2.0 required to fully use vTA ## Setup 1. Setup workstation to configure the vTA 2. Enable the Trust Authority Admin 3. Enable the Trust Authority State 4. Collect information about vCenter server & ESXi Hosts to be trusted (exported as files) 5. Import the Trusted Host information into the Trust Authority Cluster 6. Create the Key provider on the Trust Authority Cluster 7. Export the Trust Authority Cluster information 8. Import the Trust Authority information to the trusted Hosts 9. Configure the Trusted Key provider for the Trusted Hosts ## 🔗Resources ### vSphere Trust Authority explained - https://www.bdrsuite.com/blog/what-is-vsphere-trust-authority-part-17a/#:~:text=vSphere%20Trust%20Authority%20(vTA)%20is,a%20known%20and%20proven%20state. ### vSphere Trust Authority Infrastructure - https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-CEFC9BAE-1685-49A7-9854-4AC997F2F1C3.html