In the past, I’ve written a few posts about vSAN Data-at-Rest Encryption, which became available with vSAN 6.6. You can find those posts here. In vSAN version 7.0U1 there is a new option for encryption, Data-In- Transit Encryption. So what is the difference? Can I only choose one or both? Let’s find out. vSAN Data … Continue reading vSAN Encryption at Rest & In Transit: What is the difference?
A few years ago I wrote a blog post about “Replacing vCenter with vSAN Encryption Enabled“. For this particular exercise, one key piece of information needed to be retrieved was the kmipClusterId. A couple of things have changed since then, in newer version of vSAN. Change #1: ESXCLI commands An easier way to retrieve this … Continue reading vSAN Encryption KMS info retrieval
I’ve written a few blog posts in the past about vSAN Data at Rest Encryption (D@RE). These posts explain how encryption works, and how the keys are handed over to vSphere. Go here for more info. For vSAN D@RE to work properly, ESXi hosts need to be able to reach the KMS cluster during reboot operations. … Continue reading What’s new on vSAN Encryption 6.7 U1?
In previous posts, I talked about vSAN Encryption architecture, and how to enable such feature. However, there are a couple of considerations aside from the requirements that should be taken into account prior to enabling vSAN Encryption. BIOS Settings: With most deployments, whether it is vSphere, or vSAN; I’ve noticed that BIOS settings are often … Continue reading Considerations when Enabling vSAN Encryption
In my previous post, I talked about vSAN Encryption configuration, and key re-generation among other topics. On that post you can see that there is a trust relationship amongst the vCenter and KMS server/cluster. But what happens if my vCenter dies, gets corrupted, or I simply want to build a new vCenter and migrate my … Continue reading Replacing vCenter with vSAN Encryption Enabled