Configuring External KMS
To configure the CipherTrust Manager as an external KMS:
On the Nutanix VCP UI, go to Settings > Data at Rest Encryption.
Click Edit Configuration.
Scroll down to Key Management Server and perform the following steps:
Click Add New Key Management Server > Add Address.
Enter a name for the Key Management Server.
Enter the IP address and the KMIP port of the CipherTrust Manager.
Repeat the above steps for each CipherTrust Manager in the cluster.
Scroll down to the KMS CA Certificates section and perform the following steps:
Click Add New Certificate Authority.
Click Upload CA Certificate.
Specify a name for the CA.
Click Save.
Scroll down to the Key Management Server section and perform the following steps:
Click Manage Certificates for the desired key management server. The Manage Signed Certificates screen is displayed.
Upload the node certificates. Perform either of the following:
Click Upload Files and upload all the certificates at once.
Click the Upload link for each node separately.
Test whether the certificates are correct. Perform either of the following:
Click Test all nodes to test the certificates for all nodes at once.
Click the Test CS (or Re-Test CS) link for each node separately.
If the status is Verified, the integration is successful.
Now, you can verify the integration. Refer to the Verifying Your Integration section.