May 09, 2022
What Happens When I Change the Key Provider, KMIP, Native Key Provider, NKP, for vSAN Encryption?
vSAN encryption provides easy, fast data at rest encryption, as well as a unique data in transit encryption option. Data at rest encryption specifically requires a key provider to be used. This can either be an external KIMP provider (Certification list found here), as well as a native key provider option that is bundled with the vCenter Server. For various reasons a customer may wish to switch keys, or even switch to keys provided by a different key provider.
“Can I change the Key provider, KMIP, Native Key Provider, NKP, for vSAN/vSphere Encryption?” The short response is "yes" this is quick/easy and supported. Within the UI you will change to the new keys used, and a shallow rekey operation will kick-off.
What happens when I change the keys?
Changing the keys is a shallow rekey operation, NOT a deep rekey operation. What does that mean? A deep key swaps the KEK and DEK and forces a re-write of all of the data to the disk groups one at a time, this kind of operation can take a rather long time. A shallow re-key is rather quick as it will create new a new KEK for the cluster and push it to the hosts. Each device's DEK will then be re-wrapped with the new KEK+DEK combination.
The full process to change the keys from within the UI is as follows:
- The initial KMS configuration is in place
- The administrator selects an alternate KMS Cluster
- The new KMS configuration is pushed to the vSAN hosts
- A new host key is generated
- vSAN performs a Shallow Rekey
More information on vSAN Encryption operations can be found in the VSAN Encryption Services Technote.