Environment
- Carbon Black Cloud Workload Appliance: All Supported Versions
- vCenter Server: All Supported Versions
Objective
To encrypt the VMware Carbon Black Workload Appliance VM
Resolution
- Ensure prerequisites are met:
- Add KMS to vCenter Server:
- Navigate to Configure > Security > Key Providers
- Click "Add Standard Key Provider" add add the server address/port number
- Enable trust between KMS and vCenter:
- Confirm ESX host has encryption mode enabled under Configure > System > Security Profile
- Power the Carbon Black Workload Appliance off
- Encrypt the VM by navigating to Configure > Policies > select "VM Encryption Policy"
- On the Appliance VM "Summary" tab, there should now be a lock logo next to the Linux logo
- Power the Appliance back on
Additional Notes
- After encrypting the appliance VM, any attempts to migrate VM to another VC (Which does not have KMS cluster Authentication) will error. Only migrations of this VM to another ESX under same VC (or VC with same kms authentication) it will migrate.
- To encrypt any new appliances, select "Encrypt this Virtual Machine" while deploying the OVF Template. This option will be on the "Select Storage" section.
- If error "Storage profile is only supported when the target resource pool is backed by a cluster." is presented while creating newly encrypted appliance VM, move the ESXI host under existing cluster, or create a new cluster in VC.
- If error "The VMware vSphere with Operation Management 6 Enterprise license for Host “1.2.3.4” does not include “Vsphere VM Encryption”. Upgrade the license." is presented, you will need to upgrade your license to resolve this.
- For further assistance please contact VMware Support
Related Content
