Enabling Virtual Machine Encryption (VM Encrypt)
Learn how to enable VM encryption
Learn how to enable VM encryption
Last updated 18th November 2020
This guide aims to explain the details of implementing VMencrypt on the OVHcloud Managed Bare Metal, using a storage strategy using an external KMS (Key Management Server).
Depending on your KMS, you can connect to the server using the browser and navigate to →
View Certificate →
Extract the value on
SHA1 Fingerprint line
Another method with OpenSSL:
openssl s_client -connect 192.0.2.1:5696 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
Here, it is the value on the right side of the equal sign:
> SHA1 Fingerprint=7B:D9:46:BE:0C:1E:B0:27:CE:33:B5:2E:22:0F:00:84:F9:18:C6:61
In your OVHcloud Control Panel, open the "Bare Metal Cloud" section, then select your service under
Managed Bare Metal in the left-hand navigation bar.
From the main page of the service, click on the
In the section Virtual Machine Encryption Key Management Servers, click on
Add a new KMS Server.
In the new window, enter the following information:
Then validate with
A last window displays the progress of the task.
Encryption functions can be enabled through the OVHcloud API.
Get your serviceName:
Check that encryption is not yet enabled:
> "state": "disabled"
Then perform the registration of the KMS:
You must provide the following information:
The vCenter Server creates a KMS cluster when you add the first KMS instance.
Key Management Servers.
Add KMS, specify the KMS information in the wizard, and then click
Choose the following options:
Create new clusterfor a new cluster. If a cluster exists, you can select it.
Most KMS providers need a certificate to trust the vCenter.
From the vCenter where we added the KMS server
Make sure that the certificate is not encrypted with a password when we download the certificate from the KMS. Example: If you create a user, create a user without a password and download the certificate for the KMS user.
Check that the Connection Status of the KMS is Normal:
Create a virtual machine
Once the VM has been created, right-click on the virtual machine and choose
VM Policies →
Edit VM Storage Policies.
Select the VM files and other hard disks that need to be encrypted.
Make sure that the tasks are performed without errors.
If the KMS is not configured correctly and there are problems with the key exchange between vCenter and KMS, there will be a RuntimeFault error in the task with the error message Cannot generate Key.
For vMotion, encryption works at the VM level and for synchronization, 256-bit encryption keys are used.
VMotion traffic encryption works at the VM kernel level with the widely used AES-GCM (Advanced Encryption Standard / Galois Counter Mode) algorithm.
Modify the virtual machine and navigate to
We must select the options explicitly if we need encrypted vMotion
There are 3 policies for encrypted vMotion:
The movement of machines between hosts is achieved by exchanging unique keys, which are generated and served by the vCenter server, rather than by KMS.
Join our community of users on https://community.ovh.com/en/.
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.
Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.Discuss with the OVHcloud community