May 09, 2022

What Happens When I Change the Key Provider, KMIP, Native Key Provider, NKP, for vSAN Encryption?

vSAN encryption provides easy, fast data at rest encryption, as well as a unique data in transit encryption option. Data at rest encryption specifically requires a key provider to be used. This can either be an external KIMP provider (Certification list found here), as well as a native key provider option that is bundled with the vCenter Server. For various reasons a customer may wish to switch keys, or even switch to keys provided by a different key provider.


“Can I change the Key provider, KMIP, Native Key Provider, NKP, for vSAN/vSphere Encryption?” The short response is "yes" this is quick/easy and supported. Within the UI you will change to the new keys used, and a shallow rekey operation will kick-off.


Just a few clicks to change keys

What happens when I change the keys?


Changing the keys is a shallow rekey operation, NOT a deep rekey operation. What does that  mean? A deep key swaps the KEK and DEK and forces a re-write of all of the data to the disk groups one at a time, this kind of operation can take a rather long time. A shallow re-key is rather quick as it will create new a new KEK for the cluster and push it to the hosts. Each device's DEK will then be re-wrapped with the new KEK+DEK combination.


The full process to change the keys from within the UI is as follows:

  1. The initial KMS configuration is in place
  2. The administrator selects an alternate KMS Cluster
  3. The new KMS configuration is pushed to the vSAN hosts
  4. A new host key is generated
  5. vSAN performs a Shallow Rekey


More information on vSAN Encryption operations can be found in the VSAN Encryption Services Technote.


Filter Tags

Security Storage ESXi 7 vSAN vSAN 7 vSphere 7 vSAN Encryption Native Key Provider (NKP) Virtual TPM (vTPM) Blog Feature Walkthrough Operational Tutorial Overview Manage