{"id":1153,"date":"2023-02-02T13:04:56","date_gmt":"2023-02-02T12:04:56","guid":{"rendered":"https:\/\/virtualguru.cz\/?p=1153"},"modified":"2023-02-02T13:09:27","modified_gmt":"2023-02-02T12:09:27","slug":"vsphere-7-0u2-a-native-key-provider","status":"publish","type":"post","link":"https:\/\/virtualguru.cz\/en\/2023\/02\/02\/vsphere-7-0u2-a-native-key-provider\/","title":{"rendered":"vSphere 7.0U2 a Native Key Provider"},"content":{"rendered":"

Pokud pot\u0159ebujete \u0161ifrovat VM, tak do<\/strong> verze 7.0U2 m\u00e1te jedinou mo\u017enost. Koupit si \u0159e\u0161en\u00ed pro spr\u00e1vu kl\u00ed\u010d\u016f od n\u011bjak\u00e9ho ov\u011b\u0159en\u00e9ho partnera, jako je nap\u0159\u00edklad HyTrust, Gemalto apod. viz ZDE<\/a>.<\/p>\n

Pokud ale pot\u0159ebujete do VM jen p\u0159idat vTPM \u010dip, tak je to celkem zbyte\u010dn\u011b drah\u00e9, ale bohu\u017eel to jinak nen\u00ed mo\u017en\u00e9.<\/p>\n

Od verze 7.0U2 VMware ud\u011blal krok k t\u011bmto z\u00e1kazn\u00edk\u016fm a zjednodu\u0161il pou\u017e\u00edv\u00e1n\u00ed vTPM, jeliko\u017e m\u00e1me nyn\u00ed mo\u017enost pou\u017e\u00edvat built-in \u0161ifrovac\u00ed n\u00e1stroj, kter\u00fd je sou\u010d\u00e1st\u00ed vCenter Serveru.<\/p>\n

Tato funkce se naz\u00fdv\u00e1 Native Key Provider. KMS server extern\u00ed je naz\u00fdv\u00e1n jako Standard Key Provider a plat\u00ed pro n\u011bj st\u00e1le stejn\u00e9 podm\u00ednky, jako pro KMS server od verze 6.5, kdy VMware s mo\u017enost\u00ed \u0161ifrov\u00e1n\u00ed VM p\u0159i\u0161el. Tedy podpora pro protokol KMIP 1.1 a vy\u0161\u0161\u00ed.<\/p>\n

Zapnut\u00ed a pou\u017e\u00edv\u00e1n\u00ed Native Key Provideru je v celku jednoduch\u00e9 a nevy\u017eaduje \u017e\u00e1dn\u00e9 dal\u0161\u00ed instalace. Jedin\u00fdm limitem je, \u017ee mus\u00edte m\u00edt cel\u00e9 prost\u0159ed\u00ed, kde tuto funci chcete pou\u017e\u00edvat, na verzi vSphere 7.0U2 a vy\u0161\u0161\u00ed. Nejen vCenter, ale i ESXi hosty.<\/p>\n

Pokud jste tedy provedli tento d\u016fle\u017eit\u00fd krok a m\u00e1te prost\u0159ed\u00ed na 7.0U2, tak jdeme na to.<\/p>\n

Zapnut\u00ed Native Key Provideru prob\u00edh\u00e1 podobn\u011b jako p\u0159id\u00e1n\u00ed KMS serveru. Tedy na cel\u00e9m vCenter Serveru vybrat z\u00e1lo\u017eku Configure a zde v \u010d\u00e1sti Security vybrat Key Providers.<\/p>\n

Vpravo se V\u00e1m objev\u00ed seznam ji\u017e nakonfigurovan\u00fdch, pokud n\u011bjak\u00e9 takov\u00e9 u\u017e m\u00e1te, nebo v horn\u00ed \u010d\u00e1sti mo\u017enost p\u0159idat Key Provider<\/p>\n

\"\"<\/a>Zde pr\u00e1v\u011b m\u00e1te na v\u00fdb\u011br, jestli Native Key Provider, nebo Standard Key Provider.<\/p>\n

Pokud vyberete Native Key Provider, tak vytvo\u0159en\u00ed je podstatn\u011b jednodu\u0161\u0161\u00ed, ne\u017e extern\u00ed KMS server.<\/p>\n

Bude po V\u00e1s cht\u00edt pouze n\u00e1zev, kter\u00fd bude n\u00e1sledn\u011b zobrazen v seznamu. M\u016f\u017eete klidn\u011b i kombinovat n\u011bkolit Key Provider\u016f, a\u0165 u\u017e Standardn\u00edch, nebo Native. V\u00fdhoda to pak m\u016f\u017ee b\u00fdt p\u0159i konfiguraci vSAN Encryption, kdy ka\u017ed\u00fd cluster m\u016f\u017ee b\u00fdt \u0161ifrov\u00e1n jin\u00fdm „Master“ kl\u00ed\u010dem.<\/p>\n

\"\"<\/a><\/p>\n

Krom\u011b n\u00e1zvu m\u00e1te mo\u017enost vyu\u017e\u00edt fyzick\u00e9 TPM \u010dipy na ESX hostech k uchov\u00e1n\u00ed tohoto master kl\u00ed\u010de. Je to bezpe\u010dn\u011bj\u0161\u00ed varianta, proto\u017ee ESX hosty nebudou tolik z\u00e1visl\u00e9 na dostupnosti vCenter Serveru. Pokud zde nech\u00e1te polo\u017eku za\u0161krtnutou, ale m\u00e1te n\u011bkter\u00e9 ESX hosty bez TPM \u010dipu, nep\u016fjde na nich zapnout \u0161ifrovan\u00e1 VM, ani p\u0159idat vTPM \u010dip (vTPM \u010dip je sv\u00e1z\u00e1n s t\u00edm, \u017ee mus\u00edte m\u00edt \u0161ifrovan\u00fd „VM home namespace“, jeliko\u017e obsah vTPM \u010dipu je ulo\u017een v souboru na datastore, kter\u00fd se \u0161ifruje spolu s VMhome).<\/p>\n

Nen\u00ed to ale nutn\u00e1 podm\u00ednka, tak\u017ee m\u016f\u017eete Polo\u017eku od\u0161krtnout p\u0159i vytv\u00e1\u0159en\u00ed a pak nebude toto vy\u017eadovat na ESX hostech. Hod\u00ed se to zejm\u00e9na pro dom\u00e1c\u00ed laby, kde asi nem\u00e1te TPM \u010dip.<\/p>\n

\"\"<\/a><\/p>\n

Ne\u017e ale budete moci za\u010d\u00edt Native Key Provider pou\u017e\u00edvat, tak jej mus\u00edte m\u00edt zaz\u00e1lohovan\u00fd. To provedete pomoc\u00ed tla\u010d\u00edtka Back-Up. Viz obr\u00e1zek v\u00fd\u0161e.<\/p>\n

N\u00e1sledn\u011b se v\u00e1s zept\u00e1, zda ulo\u017een\u00fd kl\u00ed\u010d, kter\u00fd se vyexportuje ve form\u00e1tu PFX, chcete zaheslovat. Samoz\u0159ejm\u011b, \u017ee je to doporu\u010den\u00e9 a bezpe\u010dn\u011bj\u0161\u00ed. Mus\u00edte je\u0161t\u011b potvrdit, \u017ee jste si heslo ulo\u017eili na bezpe\u010dn\u00e9m m\u00edst\u011b.<\/p>\n

\"\"<\/a> \"\"<\/a> \"\"<\/a> \"\"<\/a><\/center>Z\u00e1lohu pak m\u016f\u017eete vyu\u017e\u00edt k obnov\u011b, pokud by se V\u00e1m s vCentrem n\u011bco stalo.<\/p>\n

N\u00e1sledn\u011b u\u017e m\u016f\u017eete pou\u017e\u00edvat VM encryption, nebo p\u0159id\u00e1vat vTPM \u010dip.<\/p>","protected":false},"excerpt":{"rendered":"

Pokud pot\u0159ebujete \u0161ifrovat VM, tak do verze 7.0U2 m\u00e1te jedinou mo\u017enost. Koupit si \u0159e\u0161en\u00ed pro spr\u00e1vu kl\u00ed\u010d\u016f od n\u011bjak\u00e9ho ov\u011b\u0159en\u00e9ho partnera, jako je nap\u0159\u00edklad HyTrust,…<\/p>\n

Continue ReadingvSphere 7.0U2 a Native Key Provider<\/span> <\/i><\/a><\/div>","protected":false},"author":4,"featured_media":1393,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"iawp_total_views":25,"footnotes":""},"categories":[3],"tags":[55,54,56,7,9,57],"class_list":["post-1153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vsphere","tag-encryption","tag-kms","tag-tpm","tag-vcenter","tag-vsphere","tag-vtpm","entry"],"_links":{"self":[{"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/posts\/1153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/comments?post=1153"}],"version-history":[{"count":9,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/posts\/1153\/revisions"}],"predecessor-version":[{"id":1405,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/posts\/1153\/revisions\/1405"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/media\/1393"}],"wp:attachment":[{"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/media?parent=1153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/categories?post=1153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/virtualguru.cz\/en\/wp-json\/wp\/v2\/tags?post=1153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}