Stay organized with collectionsSave and categorize content based on your preferences.
Configuring vSAN encryption using CipherTrust Manager
To encrypt data at rest using vSAN encryption, one option is to switch your
active key management service (KMS) to an external one.Thales CipherTrust Manageris an external KMS solution that's KMIP 1.1 compliant and certified by VMware for
vSAN.
For information about the default vSAN encryption behavior of
Google Cloud VMware Engine, seeAbout vSAN encryption.
Before you begin
To use the command-line examples in the CipherTrust Manager guide, you must
install or update to the latest version of theGoogle Cloud CLI.
Setting up VMware Engine with CipherTrust Manager involves the
following major steps:
Access and install a CipherTrust Manager image on a Compute Engine VM.
In CipherTrust Manager, configure network details and assign users to a
key management domain.
Create a registration token and registered client to use when configuring the
key management interoperability protocol (KMIP) connection to vCenter Server.
Register the KMIP client in Thales CipherTrust Manager using a private key and
certificate.
In vCenter Server, declare CipherTrust Manager as a standard key provider.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Configuring vSAN encryption using CipherTrust Manager\n=====================================================\n\nTo encrypt data at rest using vSAN encryption, one option is to switch your\nactive key management service (KMS) to an external one. [Thales CipherTrust Manager](https://cpl.thalesgroup.com/encryption/ciphertrust-manager)\nis an external KMS solution that's KMIP 1.1 compliant and certified by VMware for\nvSAN.\n\nFor information about the default vSAN encryption behavior of\nGoogle Cloud VMware Engine, see [About vSAN encryption](/vmware-engine/docs/vmware-ecosystem/howto-vsan-encryption).\n\nBefore you begin\n----------------\n\nTo use the command-line examples in the CipherTrust Manager guide, you must\ninstall or update to the latest version of the [Google Cloud CLI](/sdk/gcloud).\n\nThe [Thales CipherTrust Manager documentation](https://thalesdocs.com/ctp/ig/google/gcve/index.html) provides\nadditional information about prerequisites for this integration.\n\nSetup overview\n--------------\n\nSetting up VMware Engine with CipherTrust Manager involves the\nfollowing major steps:\n\n1. Access and install a CipherTrust Manager image on a Compute Engine VM.\n2. In CipherTrust Manager, configure network details and assign users to a key management domain.\n3. Create a registration token and registered client to use when configuring the key management interoperability protocol (KMIP) connection to vCenter Server.\n4. Register the KMIP client in Thales CipherTrust Manager using a private key and certificate.\n5. In vCenter Server, declare CipherTrust Manager as a standard key provider.\n\nFor a full description of the steps required for this integration, see the\n[Thales CipherTrust Manager documentation](https://thalesdocs.com/ctp/ig/google/gcve/index.html) for\nGoogle Cloud VMware Engine."]]
