EdSp
Enthusiast
Enthusiast

Changing from NKP to external KMS

Jump to solution

Hi,

If we start our vSAN cluster encryption using the native key provider (NKP), can I later switch to an external KMS?
What would be the procedure for that? 

Thanks,
Ed

Labels (4)
Tags (4)
1 Solution

Accepted Solutions
TheBobkin
VMware Employee
VMware Employee

@EdSp , NKP is basically just another (local-only) key-provider here and hence, yes you should be able to change this to another key-provider later if you needed to.
This should be just a case of changing the key-provider as you would changing from one KMS to another.

View solution in original post

2 Replies
TheBobkin
VMware Employee
VMware Employee

@EdSp , NKP is basically just another (local-only) key-provider here and hence, yes you should be able to change this to another key-provider later if you needed to.
This should be just a case of changing the key-provider as you would changing from one KMS to another.

EdSp
Enthusiast
Enthusiast

Hi, thank you @TheBobkin . Just to confirm 🙂

Yes I have done some limited testing with this, swapping (with DARE on the vSAN) from NKP to CloudLink KMS and vice versa.

It does seem to be having no impact on any workload and is very easy to do.

Note I did not apply or test with VM level encryption, just vSAN encryption.

0 Kudos