vSphere Native Key Provider is compatible with the VMware standard key provider and the vSphere Trust Authority trusted key provider. Provides a transition path between key providers.Improves data sanitization and system reuse practices by enabling earlier use of encryption technologies on media that is difficult to sanitize, such as flash and SSD.Helps address the needs of organizations that either cannot use, or do not want not to use, an external key server.
If your organization requires this functionality for non-VMware products and components, install a traditional, third-party key server. Does not provide external interoperability, KMIP support, hardware security modules, or other features that a traditional, third-party, external key server can offer for interoperability or regulatory compliance.Works only with VMware infrastructure products.Enables the use of vTPMs, vSphere Virtual Machine Encryption, and vSAN Data at Rest Encryption, when you do not require or want an external key server.vSphere Native Key Provider can coexist with an existing key server infrastructure. To use vSphere Native Key Provider for vSphere Virtual Machine Encryption, you must have purchased the vSphere Enterprise Plus Edition. vTPM functionality is included in all vSphere editions. The ESXi hosts then generate data encryption keys (even when not connected to vCenter Server) to enable security functionality such as vTPMs.
vCenter Server generates a primary key, called the Key Derivation Key (KDK), and pushes it to all ESXi hosts in the cluster.
With vSphere Native Key Provider, you no longer need an external key server. In a trusted key provider ( vSphere Trust Authority) setup, the trusted ESXi hosts fetch the keys directly. In a standard key provider setup, vCenter Server fetches the keys from the external key server and distributes them to the ESXi hosts. With a standard key provider or trusted key provider, you must configure an external key server. You can also use vSphere Native Key Provider for vSphere Virtual Machine Encryption, but you must purchase the VMware vSphere ® Enterprise Plus Edition™. VSphere Native Key Provider is included in all vSphere editions and does not require an external key server (also called a Key Management Server (KMS) in the industry).
In vSphere 7.0 Update 2 and later, you can use the built-in vSphere Native Key Provider to enable encryption technologies, such as virtual TPMs (vTPM).