Chapter 11. Enabling encryption on a vSphere cluster
You can encrypt your virtual machines after installing OpenShift Container Platform 4.16 on vSphere by draining and shutting down your nodes one at a time. While each virtual machine is shutdown, you can enable encryption in the vCenter web interface.
11.1. Encrypting virtual machines
You can encrypt your virtual machines with the following process. You can drain your virtual machines, power them down and encrypt them using the vCenter interface. Finally, you can create a storage class to use the encrypted storage.
Prerequisites
You have configured a Standard key provider in vSphere. For more information, see Adding a KMS to vCenter Server.
ImportantThe Native key provider in vCenter is not supported. For more information, see vSphere Native Key Provider Overview.
- You have enabled host encryption mode on all of the ESXi hosts that are hosting the cluster. For more information, see Enabling host encryption mode.
- You have a vSphere account which has all cryptographic privileges enabled. For more information, see Cryptographic Operations Privileges.
Procedure
- Drain and cordon one of your nodes. For detailed instructions on node management, see "Working with Nodes".
- Shutdown the virtual machine associated with that node in the vCenter interface.
-
Right-click on the virtual machine in the vCenter interface and select VM Policies
Edit VM Storage Policies. - Select an encrypted storage policy and select OK.
- Start the encrypted virtual machine in the vCenter interface.
- Repeat steps 1-5 for all nodes that you want to encrypt.
- Configure a storage class that uses the encrypted storage policy. For more information about configuring an encrypted storage class, see "VMware vSphere CSI Driver Operator".