How It Works
The ESXi host (managed by vCenter) generates and uses an internal key, called the data encryption key (DEK), to encrypt virtual machines and disks. The vCenter server then requests a key from HyTrust KeyControl. This key, known as the key encryption key (KEK), is then used to encrypt the DEK. vCenter Server stores only the each DEK, but the KEK wraps the DEK to protect it. HyTrust is the only VMware-approved KMIP vendor that VMware has invested in—ensuring a smooth customer experience.