VMware Cloud Community
n0nuf
Contributor
Contributor

What KEK Identifier is my ESXi Host using?

Good morning.

We are running VMware v6.7U3Q VCenter and ESXi 6.7.0 v19195723 and using a Thales SafeNet G460 v8.15.0 as a KMS Server using KMIP protocol to provide KEK's to VCenter to encrypt the ESXi DEK's as our security standards require vTPM/VBS on our Windows Server 2019 VMs. We are NOT encrypting the actual VMDK (virtual disk) files.

KEK = Key Encryption Key

DEK = Data Encryption Key

This process only encrypts a portion of the VM VMX configuration files, nvram, swap and crash dump files. 

If I look in a VM's VMX file, near the bottom, I can see which KEK identifier the G460 has given to a particular VM. What I can't find is which KEK identifier the G460 is giving VCenter and which KEK identifier the G460 is giving to a Physical ESXi Host server; ESXi supposedly only stores the KEK in memory and does NOT write it to disk.  I >NEED< to know how to find which G460 KEK identifier's are given to which Host device (and VCenter if applicable) in the event something else bites the dust in the future I'll have some idea of what's assigned to what.

If you can dig up some information on which commands / dialogs would provide this information that would be very helpful.

Thank you for your time and have a great day!

-Scott

Reply
0 Kudos
0 Replies