I understand host holds KEK and Host key in its key cache in memory.
I would like to ask if there is a way to check the key itself in key cache?
I am doing this evaluation that adding a host into encryption enabled vSAN cluster.
I know that if I don't restart this host, the host will not request key from KMS.
So I'd like to check if the key is really not in key cache. Then restart the host and see if the key is in key cache.
Welcome to Communities.
KEK ID, Host Key ID and KMS info can be retrieved from /etc/vmware/esx.conf on the host:
When you add a host to an Encrypted enabled vSAN cluster, vSAN checks the drives to see if they are "stamped" for encryption. If they were previously on the cluster and have the same information, then the host is added to the cluster. If it is a new host and the drives were not stamped for encryption on this cluster, the drives will go through a Disk Format Change, Data Encryption Key (DEK) will be created and wrapped with the KEK from KMS. At this point you will see the drives participating in vSAN.
The file-based persistence (esx.conf) is still available on previous version of vSAN, but newer versions have moved to a database based persistence (config-store) for such information. Blog post pending on this topic...