I'm working with VMware 6.7 using HyTrust KeyControl as a KMS/KMIP server. I need to identify a method for expiring and renewing KEKs on some regular basis. HyTrust KeyControl doesn't have any such method which is understandable since the HyTrust KMS doesn't really know anything about VMs, and interacts with vCenter.

As far as vCenter the only thing available that I've found that looks "built-in" is an option apparently available in the web client when encrypting vSAN - which we aren't doing.

As far as expiring/generating a new KEK - or DEK - when using vm encryption, all I've found is the ability to do a deep rekey (regenerate a DEK) and a shallow rekey (regenerate a KEK). The shallow rekey appears to only be an option when migrating to a different KMS/KMS cluster. And - as far as I've been able to determine so far - this rekey ability is only possible if using the powercli VMware.Encryption module from 2016 which I don't think VMware supports.

Is there KEK related functionality that I'm not finding? Such as the ability to set an expiration date on the KEK, regenerate a new KEK some other way than a module from 2016, etc?

Thanks