Part 1: HyTrust DataControl – Data at Rest encryption (in guest) on VMware Cloud on AWS

HyTrust DataControl® provides encryption and key management for virtual machines located in data centers or private, public, or hybrid clouds. DataControl works with:

  • VMware vSphere
  • Amazon Web Services (AWS)
  • Microsoft Azure
  • IBM Bluemix

DataControl consists of two main components:

1) HyTrust KeyControl (KeyControl)

KeyControl stores encryption keys, policies, and configuration for any number of virtual machines with the HyTrust DataControl Policy Agent installed. You can configure KeyControl directly through the browser-based KeyControl webGUI using HTTPS, or remotely through the hicli command line interface (CLI) or a set of REST-based APIs.
You can install multiple KeyControl nodes in an active-active cluster to provide load balancing and high availability support. Because this is an active-active cluster, you can make changes to the settings on any KeyControl node in the cluster and those changes are immediately reflected on all KeyControl nodes in the cluster.

2) HyTrust DataControl Policy Agent (Policy Agent)

A software module that runs inside Windows and most Linux operating systems that provides encryption of virtual disks, filesystems, and individual files. All VMs that have the Policy Agent installed can also securely share encrypted files and disks as long as those VMs are registered with the same Cloud VM Set. You must install a copy of the Policy Agent on each VM you want to encrypt with DataControl.

The following figure provides a high-level view of the main architectural components of HyTrustDataControl.

main architectural components

In this document we are going to see how HyTrust DataControl can be leveraged in VMware Cloud on AWS to provide data at rest encryption of virtual disks attached to VMs running a Windows or Linux guest operating system. The DataControl policy agent supports 64-bit versions of the Linux and Windows platforms listed below:

Platforms Supported for Data Encryption

The administration guide is available online at the following URL :

HyTrustDataControl Administration Guide

Deploy HyTrust KeyControl Appliance

For the purpose of this PoC, we downloaded a 30-dayevaluation version of HyTrustDataControl 4.3.2 from the link below:

HyTrustDataControl Software Download

NB. The above URL will always point to the latest release of HyTrust DataControl.

Please follow the on-screen instructions if asked to register for the 30-day evaluation.

Download the “” file, uncompress it to a folder and then follow the steps below to deploy the OVA into vCenter :

1) Login to the VMC vCenter Portal and right click the “Compute-ResourcePool” and click “Deploy OVF Template” . This will open up the window as shown below:

Deploy OVF Template

2) Select “Local file” and then click “Choose Files” and select all the files as shown below from the uncompressed folder.

Choose Files

3) Click “Next” after selecting the files and a name for the Virtual Machine. In our case, we decided to leave it to default as shown in the picture below.


4) While deploying in VMC, please select the “Compute-ResourcePool” as the compute resource and then click NEXT.


5) The screen below shows a summary of the resource requirements and the defaults for each one of them selected as part of the OVF package deployment. Please review the fields and click “NEXT”.

OVF package deployment

– There are 3 options for the size of the HyTrustKeyControl Appliance deployment:


NB. For further details and precise sizing of the appliance, please consult HyTrust and VMware.

6) We selected the “Recommended” option as shown in the screenshot below which corresponds to the Standard Installation in the table above. Click “NEXT” after you have selected the option as “Recommended”.


7) Select the “WorkloadDatastore” on the “Select storage” screen and click “NEXT”.


8) On the “Select networks” screen, select an appropriate network segment from the dropdown where you wish to deploy your HyTrust appliance and then click “NEXT”. It is mandatory to provide a static IP address to the KeyControlappliance as VMs running the Policy Agent will communicate to it over network port 443 at an interval of every 5 minutes by default, this parameter is referred to as the heartbeat.

Select networks

9) On the Customize template screen, please provide the following details:

  • KeyControl system IP address
  • KeyControl system hostname
  • Domain Name
  • Netmask
  • Gateway
  • DNS Server List
  • NTP Server List (Populates to the default public NTP servers)

After providing the above details hit “NEXT”.

Customize template

10) Review the summary of the deployment on the next screen and submit it for the appliance deployment.

Deploy HyTrust KeyControl Appliance

After the KeyControlVM deployment has completed, please power on the appliance and using a web browser navigate to https://< KeyControl VM IP > as shown below : –


 If logging in for the first time, the default username and password is secroot/secroot. To initialize the KeyControl web GUI complete the short setup wizard which covers the following : –

1. Review and Accept the Software EULA
2. Set a new password for the “secroot” user
3. (Optional) Enable E-mail and Mail Server Settings
4. (Optional) Enable Automatic Vitals Reporting

After successfully logging in you will land on the “SECURITY” tab as shown below : –


For High Availability we recommend at a minimum that a second KeyControl appliance be deployed and joined to the existing appliance to form a 2 node cluster.

Please see Adding a New KeyControl Node to an Existing Cluster (OVA Install).

Before encrypting the first VM we need to create a new Cloud VM Set. A Cloud VM Set is a logical grouping of related VMs, such as “Production VMs,” “Development VMs,” and “PCI VMs”. When you register a new VM with KeyControl, you must assign that VM to a Cloud VM Set before the data can be encrypted.

  1. Log in to the KeyControl web GUI using an account with Cloud Admin privileges.
  2. In the top menu bar, click Cloud.
  3. Select Actions > Create New Cloud VM Set.
  4. On the VM Set tab:
         a) Enter a name for the Cloud VM Set.
         b) Select the group to which this set should belong.
         c) Optionally enter a description for the set.

If you want to specify additional options, click the Additional Properties tab to specify the options you want to use.

If you want to specify when the VMs in the Cloud VM Set need to be re-authenticated, click the Reauthentication Settings tab and specify the options you want to use.

When you have finished specifying the Cloud VM Set options, click Create.

When you see the Cloud VM Set Successfully Created message, click Close.


We also define a KeyControl Mapping, a mapping lets you create a list of KeyControl IP addresses that you maintain in KeyControl. Each KeyControl node in the Mapping is associated with an externally-visible IP address or hostname that the VMs can use to access that KeyControl node. If you ever change the list of KeyControl nodes in the Mapping, KeyControl automatically disseminates the changes to the each associated VM at its next heartbeat.

Associating a Mapping with a VM enables High Availability between the VM and KeyControl by enabling failover among the KeyControl nodes, and it means you do not need to update the individual VMs when KeyControl nodes are added to, or removed from, the cluster.


  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
  2. In the top menu bar, click Cloud.
  3. Click the Mappings tab.
  4. Select Actions > Create Mapping.
  5. On the Mapping tab, specify the options you want to use.

6) When you are done, click Next.
7) On the Servers tab, create an entry for the first KeyControl node by specifying the options you want to use.


8. If you want to add another node, click the + button and enter the appropriate information.
9. When you are done adding nodes, make sure that the order is correct because the order of the IP addresses in the list determines the order of precedence. The first node in a KeyControl Mapping is considered the preferred node, and all VMs will use that node as long as it is available. If the preferred node is offline when a VM heartbeat, the VM will try the other IP addresses in the Mapping, starting with the second IP address in the list and working downwards.

Once the VM finds an available KeyControl node, it will use that node to complete the current heartbeat, and it will continue to use that node until the cluster returns to a healthy state. After the cluster becomes healthy, the VM will resume using the preferred node at its next heartbeat. If you need to change the order, click and hold on the arrow icon at the beginning of the line to drag the entry to the proper position. Release the mouse to drop the entry in the new location.
10. When all nodes are included and the order is correct, click Create.
11. At the Mapping Successfully Created message, click Close.


Submit a Comment

Your email address will not be published. Required fields are marked *

Related Articles