vSAN1

 View Only
  • 1.  Key cache of vSAN encryption

    Posted Jun 09, 2020 04:05 AM

    I understand host holds KEK and Host key in its key cache in memory.

    I would like to ask if there is a way to check the key itself in key cache?

    Background:

    I am doing this evaluation that adding a host into encryption enabled vSAN cluster.

    I know that if I don't restart this host, the host will not request key from KMS.

    So I'd like to check if the key is really not in key cache. Then restart the host and see if the key is in key cache.



  • 2.  RE: Key cache of vSAN encryption
    Best Answer

    Posted Jun 09, 2020 10:17 AM

    as far as I know there is no way to manually inspect this.



  • 3.  RE: Key cache of vSAN encryption

    Posted Jun 09, 2020 11:43 PM

    Thanks.



  • 4.  RE: Key cache of vSAN encryption

    Posted Jun 09, 2020 10:21 AM

    Hello mithrandir1030​,

    Welcome to Communities.

    KEK ID, Host Key ID and KMS info can be retrieved from /etc/vmware/esx.conf on the host:

    Understanding vSAN Encryption: Booting when vCenter is Unavailable

    Bob



  • 5.  RE: Key cache of vSAN encryption

    Posted Jun 09, 2020 11:44 PM

    Thanks. But what I'm looking for is not key ID but key itself.



  • 6.  RE: Key cache of vSAN encryption

    Broadcom Employee
    Posted Jun 09, 2020 12:29 PM

    When you add a host to an Encrypted enabled vSAN cluster, vSAN checks the drives to see if they are "stamped" for encryption. If they were previously on the cluster and have the same information, then the host is added to the cluster. If it is a new host and the drives were not stamped for encryption on this cluster, the drives will go through a Disk Format Change, Data Encryption Key (DEK) will be created and wrapped with the KEK from KMS. At this point you will see the drives participating in vSAN.

    The file-based persistence (esx.conf) is still available on previous version of vSAN, but newer versions have moved to a database based persistence (config-store) for such information. Blog post pending on this topic...