mithrandir1030
Contributor
Contributor

Key cache of vSAN encryption

Jump to solution

I understand host holds KEK and Host key in its key cache in memory.

I would like to ask if there is a way to check the key itself in key cache?

Background:

I am doing this evaluation that adding a host into encryption enabled vSAN cluster.

I know that if I don't restart this host, the host will not request key from KMS.

So I'd like to check if the key is really not in key cache. Then restart the host and see if the key is in key cache.

1 Solution

Accepted Solutions
depping
Leadership
Leadership

as far as I know there is no way to manually inspect this.

View solution in original post

0 Kudos
5 Replies
depping
Leadership
Leadership

as far as I know there is no way to manually inspect this.

View solution in original post

0 Kudos
TheBobkin
VMware Employee
VMware Employee

Hello mithrandir1030​,

Welcome to Communities.

KEK ID, Host Key ID and KMS info can be retrieved from /etc/vmware/esx.conf on the host:

Understanding vSAN Encryption: Booting when vCenter is Unavailable

Bob

GreatWhiteTec
VMware Employee
VMware Employee

When you add a host to an Encrypted enabled vSAN cluster, vSAN checks the drives to see if they are "stamped" for encryption. If they were previously on the cluster and have the same information, then the host is added to the cluster. If it is a new host and the drives were not stamped for encryption on this cluster, the drives will go through a Disk Format Change, Data Encryption Key (DEK) will be created and wrapped with the KEK from KMS. At this point you will see the drives participating in vSAN.

The file-based persistence (esx.conf) is still available on previous version of vSAN, but newer versions have moved to a database based persistence (config-store) for such information. Blog post pending on this topic...

A+, DCSE, MCP, MCSA, MCSE, MCTS, MCITP, MCDBA, NCDA, NCIE-SAN, NCIE-BR, VCP4, VCP5, VCP5-DT, VCAP5-DCA _____________________ If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful.
0 Kudos
mithrandir1030
Contributor
Contributor

Thanks.

0 Kudos
mithrandir1030
Contributor
Contributor

Thanks. But what I'm looking for is not key ID but key itself.

0 Kudos