Hi,
If we start our vSAN cluster encryption using the native key provider (NKP), can I later switch to an external KMS?
What would be the procedure for that?
Thanks,
Ed
@EdSp , NKP is basically just another (local-only) key-provider here and hence, yes you should be able to change this to another key-provider later if you needed to.
This should be just a case of changing the key-provider as you would changing from one KMS to another.
@EdSp , NKP is basically just another (local-only) key-provider here and hence, yes you should be able to change this to another key-provider later if you needed to.
This should be just a case of changing the key-provider as you would changing from one KMS to another.
Hi, thank you @TheBobkin . Just to confirm 🙂
Yes I have done some limited testing with this, swapping (with DARE on the vSAN) from NKP to CloudLink KMS and vice versa.
It does seem to be having no impact on any workload and is very easy to do.
Note I did not apply or test with VM level encryption, just vSAN encryption.