vCenter Server
Only vCenter Server has credentials for
logging in to the KMS. The ESXi hosts do not have those credentials. The
vCenter Server obtains keys from the KMS and pushes them to the ESXi hosts. The
vCenter Server does not store the KMS keys, it merely keeps a list of key IDs.
The vCenter Server checks the privileges of users
who perform cryptographic operations. You can use the vSphere Client to assign
cryptographic privileges or to assign the No cryptography administrator custom
role to groups of users. See
Prerequisites and Required Privileges for Encryption Tasks.
The vCenter Server adds cryptography events to the
list of events that you can view and export from the vSphere Client Event
Console. Each event includes the user, time, key ID, and cryptographic
operation.