Solved: Re: Key cache of vSAN encryption

mithrandir1030 · ‎06-08-2020

I understand host holds KEK and Host key in its key cache in memory.

I would like to ask if there is a way to check the key itself in key cache?

Background:

I am doing this evaluation that adding a host into encryption enabled vSAN cluster.

I know that if I don't restart this host, the host will not request key from KMS.

So I'd like to check if the key is really not in key cache. Then restart the host and see if the key is in key cache.

depping · ‎06-09-2020

as far as I know there is no way to manually inspect this.

View solution in original post

depping · ‎06-09-2020

as far as I know there is no way to manually inspect this.

TheBobkin · ‎06-09-2020

Hello mithrandir1030,

Welcome to Communities.

KEK ID, Host Key ID and KMS info can be retrieved from /etc/vmware/esx.conf on the host:

Understanding vSAN Encryption: Booting when vCenter is Unavailable

Bob

GreatWhiteTec · ‎06-09-2020

When you add a host to an Encrypted enabled vSAN cluster, vSAN checks the drives to see if they are "stamped" for encryption. If they were previously on the cluster and have the same information, then the host is added to the cluster. If it is a new host and the drives were not stamped for encryption on this cluster, the drives will go through a Disk Format Change, Data Encryption Key (DEK) will be created and wrapped with the KEK from KMS. At this point you will see the drives participating in vSAN.

The file-based persistence (esx.conf) is still available on previous version of vSAN, but newer versions have moved to a database based persistence (config-store) for such information. Blog post pending on this topic...

mithrandir1030 · ‎06-09-2020

Thanks.

mithrandir1030 · ‎06-09-2020

Thanks. But what I'm looking for is not key ID but key itself.

All

Key cache of vSAN encryption