VMware Cloud Community
briance71
Contributor
Contributor
‎02-10-2020 10:34 AM

vSan encryption-KSM died

A  5 node cluster with vsan that had a kms in place 2 years ago. Dont know when but the kms system is dead and a few hosts are asking for host encryption keys and they have the disks locked.

The kms is unrecoverable to previous state.

I have stood up a new kms and want to know if I can simply ADD the new kms to the key mgmt, establish the trust and then change the KMS cluster in vsan services??

Is this safe?

Will the system continue to run on?

Thanks

0 Kudos
1 Reply
TheBobkin
Champion
Champion
‎02-10-2020 11:15 AM

Hello briance71

Welcome to Communities.

"I have stood up a new kms and want to know if I can simply ADD the new kms to the key mgmt, establish the trust and then change the KMS cluster in vsan services??

Is this safe?

Will the system continue to run on?"

What you are suggesting is a shallow-rekey using the new KMS - this requires the old KMS to be available and thus unfortunately this probably won't be possible:

https://blogs.vmware.com/virtualblocks/2017/06/24/vsan-encryption-2/

What I would advise is to NOT reboot any hosts (as you may end up with more disks locked), take full/current back-ups of what is available and restore this data to a new cluster (or the same cluster after wiping it down and configuring a new KMS).

If this is a production cluster then I would advise contacting GSS vSAN to determine whether there is anything else we can do to assist from our side. You might have some VMs whose namespace Objects are Inaccessible but whose vmdk Objects are still available and other stuff like VMs that are marked as Invalid/Inaccessible but are only missing something relatively minor like a boot device.

Bob

0 Kudos