WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Quick Tip - Which vCenter Server Key Provider (KMS) is a VM using?

Quick Tip - Which vCenter Server Key Provider (KMS) is a VM using?

03.27.2025 by William Lam // 2 Comments

vCenter Server requires a Key Management Service (KMS) for enabling VM Encryption, vTPM, or vSAN Encryption. Users have the choice of configuring the embedded Native Key Provider (NKP) built into vCenter Server and/or use an external KMS with the Standard Key Provider (SKP) option.


If you have more than one KMS configured in vCenter Server, you can specify one of the KMS key providers to be your default, which will automatically be used for any KMS-related activities. You can switch between the default KMS key provider and you can certainly specify a specific KMS key provider when using the vSphere API to provision a VM that will leverage VM encryption.

So how do you figure out which KMS key provider a VM is using?

For VM Encryption usage, you can use the vSphere UI and expand the Encryption section for a specific VM and you can see the KMS key provider as shown in the screenshot below:


For vTPM usage, the vSphere UI does NOT provide anything under the Encryption section that points to the specific KMS key provider that is used as shown in the screenshot below:


Luckily, we can use the vSphere API to retrieve the specific KMS key provider for a VM that is using either VM Encryption and/or vTPM by looking at the keyId property for a VM, which applies to both VM Encryption and vTPM-based VMs.

To demonstrate the vSphere API, I have created a very simple PowerCLI script called vm-to-kms-association.ps1 which will list all registered KMS key providers for the connected vCenter Server and then list all applicable VMs and their associated KMS key provider as well as KeyID as shown in the screenshot below.

 

More from my site

  • KMIP Server Docker Container for evaluating VM Encryption in vSphere 6.5
  • Support for Virtual Trusted Platform Module (vTPM) on ESXi without vCenter Server?
  • Clearing TPM alarms after replacing TPM chip or resetting TPM keys for ESXi
  • Quick Tip - TPM 2.0 connection cannot be established after upgrading to ESXi 8.0
  • Quick Tip - Adding a vTPM (Virtual Trusted Platform Module) to a Nested ESXi VM

Categories // Automation, PowerCLI, VCSA, vSphere Tags // KMS, TPM, VM Encryption

Comments

  1. *protectedChristopher says

    03/27/2025 at 9:50 am

    The vCenter VM summary page shows which KMS/NKP that have been used for vTPM encryption, at least in 8U3d (configuration encrypted with XXXX)

    Reply
    • William Lam says

      03/27/2025 at 10:41 am

      Yup, this is mentioned in blog post and vSphere API can be used to understand this at scale, especially for vTPM (which doesn't have anything in UI)

      Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...