Skip to content

Deploying VSatellites

After you've carefully reviewed and completed all prerequisite steps, you're ready to deploy a VSatellite to your target computer.

Tenant-level encryption choice

When deploying your first VSatellite, you must choose how the Data Encryption Key (DEK) is protected:

  • Software-based DEK (default)
  • HSM-protected DEK

This is a tenant-level setting. After a VSatellite is deployed, the DEK protection mode cannot be changed unless all VSatellites are deleted.

For details about deploying with HSM-protected DEK, see Using HSM-protected DEK with VSatellites.

Deploying a VSatellite involves 3 simple steps:

  1. Download the VSatellite installer (vsatctl) onto your target computer.
  2. Run sudo ./vsatctl preflight to verify that you've met all prerequisites.
  3. Run sudo ./vsatctl install to deploy your new VSatellite.
Why are root privileges required?

The vsatctl install command installs k3s in /usr/local/bin, which is owned by the root user.

If you are installing VSatellite on RHEL, Oracle, or Rocky Linux, the vsatctl install command will install the k3s-selinux RPM package. Installing RPM packages requires root privileges.

Other vsatctl subcommands connect to the VSatellite cluster, requiring access to credentials stored in /etc/rancher/k3s/k3s.yaml. This file is only accessible to the root user.

If you are already logged in as the root user, you can omit the sudo command.

Tip

It's helpful to have both the VSatellites page open in Certificate Manager - SaaS (Settings > VSatellites) and a command line utility connected to your target computer before you begin. You'll be using both.

About the generated installation command

When you deploy a VSatellite using the installation wizard, Certificate Manager - SaaS generates an installation command that includes placeholders for required values.

For HSM-protected DEK deployments, these placeholders reference components of your HSM client installation (such as client paths, PKCS#11 libraries, and configuration files). The wizard does not validate these values. For an explanation of each HSM-related parameter and example values, see Using HSM-protected DEK with VSatellites.

To deploy a new VSatellite

  1. Sign in to Certificate Manager - SaaS.

  2. Click Configurations > VSatellites.

  3. On the VSatellites page, click New, and then follow the on-screen instructions.

Next steps