KMS configuration with Nutanix on OVHcloud – Support Guides

Learn how to configure the OVHcloud Key Management System (KMS) with Nutanix on OVHcloud.

Nutanix provides two options for securing data at rest:

Self-Encrypted Drives (SEDs)
Software-only encryption, which offers key-based access management through either the cluster's native key manager or an external key management system (KMS).

By following this guide, you will learn how to leverage Nutanix's data-at-rest encryption capabilities using the OVHcloud KMS.

Requirements

A valid OVHcloud KMS key in your OVHcloud account (see this guide for instructions)
A Nutanix on OVHcloud cluster in your OVHcloud account

The cluster must be compatible with Data-At-Rest Encryption. Please confirm this with your OVHcloud sales representative or with the support teams.

A Nutanix license that supports the Data-At-Rest Encryption feature.

Access to the Nutanix cluster via Prism Central/Prism Element
Compliance with Nutanix’s feature guidelines (e.g., Nutanix Security Guide and Nutanix KMS Compatibility Matrix)

Instructions

Step 1 - Access Prism Central and Prism Element

Navigate to Prism Element by clicking your cluster in the Cluster Quick Access panel.

HPC_NTX_networkSecurity_KMSconfig01*.png

Select Home and choose Settings.

HPC_NTX_networkSecurity_KMSconfig02*.png

Step 2 - Configure Data-at-Rest Encryption

Scroll to the Security section and click Data-at-rest Encryption.

Click on Edit Configuration.

HPC_NTX_networkSecurity_KMSconfig03*.png

Complete all fields and supply the requested files while scrolling through the following page.

Click each tab below for more information on each section.

Select an encryption type based on your service and license compatibility. See the requirements section for more information.

HPC_NTX_networkSecurity_KMSconfig04*.png

Select An external KMS.

HPC_NTX_networkSecurity_KMSconfig05*.png

Enter your configuration details to generate the Certificate Signing Request (CSR).

NOTE: This is required to complete this process.

Click Save CSR Info and then click Download CSRs. Take note of where the file is saved on your computer.

You will need to generate Access Certificates for each node in your cluster using the CSRs you downloaded. See our Getting started with Key Management Services guide for full instructions.

HPC_NTX_networkSecurity_KMSconfig06*.png

Click Add New Key Management Server.

HPC_NTX_networkSecurity_KMSconfig07*.png

Enter a Name, Address, and Port for your KMS service and click Save.

Click here for instructions on retrieving the Address and Port.

From the OVHcloud Control Panel, navigate to the Hosted Private Cloud tab. In the left-hand menu, select Identity, Security & Operations, then Key Management Service, and then your KMS service. In the General information tab, copy the KMIP.

HPC_NTX_networkSecurity_KMSconfig08*.png

HPC_NTX_networkSecurity_KMSconfig09*.png

Click on Manage Certificates.

HPC_NTX_networkSecurity_KMSconfig10*.png

Upload the Access Certificates for each of the nodes on your cluster by clicking Upload Files, selecting your file(s), and clicking Submit.

If you are unsure how to make Access Certificates, see the information in the Certificate Signing Request Information tab.

HPC_NTX_networkSecurity_KMSconfig11**.png

Click Add New Certificate Authority.

HPC_NTX_networkSecurity_KMSconfig12*.png

On the next screen, name and upload a Certificate Authority file with a .cert extension.

Click here for instructions on retrieving the Certificate Authority.

From the OVHcloud Control Panel, copy the Id for your KMS service.

From the OVHcloud API, run the following API call.
Parameters
- okmsId: retrieved in the previous step
- publicCA: set to "true"
GET /okms/resource/{okmsId}

Save the "publicCA" line of the results as a text file.

Convert the .txt into the correct format.

The text file will need to be edited so that all instances of /n are replaced with carriage returns.

Once that process is complete, change the file extension to .cert.

Step 3 - Test and Enable Encryption

Back at the Key Management Server menu, click Manage Certificates again.

HPC_NTX_networkSecurity_KMSconfig10*.png

Test all nodes in the cluster.

If the test is successful, you can now enable encryption for your Nutanix cluster.

You can enable both software encryption and Self-Encrypting Drives (SEDs).

Go Further

For more information and tutorials, please see our other Nutanix or Hosted Private Cloud guides. You can also explore the guides for other OVHcloud products and services.

If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for a custom analysis of your project.