Sangfor Cloud Platform (SCP)

Enterprise Cloud Computing Platform Built on Business-Centric HCI.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
6.11.3
Sangfor Cloud Platform (SCP) {{ breadTitle }} Platform Management System management Security Management Key Management Service
{{sendMatomoQuery("Sangfor Cloud Platform (SCP)","Key Management Service")}}

Key Management Service

{{ $t('productDocDetail.updateTime') }}: 2025-12-18

Instruct the administrator to encrypt the virtual machine's disk in the shutdown state, which is often used in improving the security protection of the important virtual machine.

Precautions:

1. The virtual machine encryption needs to be operated on the SCP side. The user master key is stored on the SCP side, and the data key is stored on the HCI side. When the SCP and HCI communication is abnormal, the encrypted virtual machine cannot be powered on. It needs to solve the communication abnormality before it can be powered on.

2. The encrypted virtual machine does not support export, clone, template deployment, cross-cluster migration, migration to VMware, backup, new, and restore operations.

3. The encrypted virtual machine supports decryption on the SCP platform.

4. During encryption of the virtual machine that uses KMS encryption, if the connection between SCP and KMS is disconnected, the connection between SCP and HCI cluster is disconnected, and the HCI node at the running location is out of SCP management, the virtual machine will be shut down after being shut down. Unable to use because there is no key to decrypt.

5. The virtual machine's performance with encryption enabled will drop by 30%-50% compared to when it is not encrypted.

6. Virtual machines with encryption enabled will not be able to use CDP, disaster recovery, cloning, exporting, and mirroring.

7. The encryption process takes a period, and operations such as booting are not supported. It is recommended that you handle it when your business is idle.

Prerequisite

The SCP must activate the KMS service, which can be activated on the SCP platform.

Steps:

Step 1.Log in to the SCP platform and navigate to Resources > Management > Security. Click Add to add a KMS server to the SCP platform.

A screenshot of a computer AI-generated content may be incorrect.

A screenshot of a computer AI-generated content may be incorrect.

Step 2.HSM Management. On the HSMs tab, click Add.

Type: You can select type A (for Sansec) or B (for JIT).

Information: Configure the IP address, port number, and password for the HSM. You can add up to 10 HSMs.

Step 3.Virtual Machine Encryption

Enter the Compute > Virtual Machines interface, select the virtual machine that needs to be encrypted, and click More > Enable Disk Encryption to convert the ordinary virtual machine into an encrypted virtual machine.

A screenshot of a computer error AI-generated content may be incorrect.
A screenshot of a computer AI-generated content may be incorrect.

 

Step 4.Virtual Machine Decryption

Enter the Compute > Virtual Machines interface, select the virtual machine that needs to be decrypted, and click More > Disable Disk Encryption to convert the encrypted virtual machine into an ordinary virtual machine.