A few years ago I wrote a blog post about “Replacing vCenter with vSAN Encryption Enabled“. For this particular exercise, one key piece of information needed to be retrieved was the kmipClusterId. A couple of things have changed since then, in newer version of vSAN. Change #1: ESXCLI commands An easier way to retrieve this … Continue reading vSAN Encryption KMS info retrieval
I’ve written a few blog posts in the past about vSAN Data at Rest Encryption (D@RE). These posts explain how encryption works, and how the keys are handed over to vSphere. Go here for more info. For vSAN D@RE to work properly, ESXi hosts need to be able to reach the KMS cluster during reboot operations. … Continue reading What’s new on vSAN Encryption 6.7 U1?
In previous posts, I talked about vSAN Encryption architecture, and how to enable such feature. However, there are a couple of considerations aside from the requirements that should be taken into account prior to enabling vSAN Encryption. BIOS Settings: With most deployments, whether it is vSphere, or vSAN; I’ve noticed that BIOS settings are often … Continue reading Considerations when Enabling vSAN Encryption
In my previous post, I talked about vSAN Encryption configuration, and key re-generation among other topics. On that post you can see that there is a trust relationship amongst the vCenter and KMS server/cluster. But what happens if my vCenter dies, gets corrupted, or I simply want to build a new vCenter and migrate my … Continue reading Replacing vCenter with vSAN Encryption Enabled
New on vSAN 6.6, vSAN native encryption for data at rest is now available. This feature does not require self-encrypting drives (SEDs). Encryption is supported on both all-flash and hybrid configurations of vSAN, and it is done at the datastore level. It is important to note that data is encrypted during the de-staging process, which … Continue reading vSAN 6.6 Encryption Configuration