Although we have configured a Key Provider for an OrgVDC using the BYOE add-on, we observe that the Named Disks created on that OrgVDC and the vApp templates stored in a catalog backed-up by that OrgVDC are encrypted using the default KMS, not with the KMS associated to the Key Provider assigned to the OrgVDC.
Is that the expected behavior? Will Named Disks and vApp Template encryption be supported by the BYOK add-on in the GA version or future versions?
Thanks,
Miguel
Posting for Nikolay:
Hi Miguel, your understanding is correct!
Regarding deep re-crypt of named disks and templates, we plan to introduce this feature in one of the post-GA releases.
Hi Miguel, we plan to introduce encryption of named disks and VM templates as part of the official (GA) release of BYOE solution. Both will be encrypted the same way as regular VMs with the exception that deep re-encrypt will not be supported in the GA release. Please let us know if this behavior would cover your use cases?
Hi Nikolay, It is great news that you will support the encryption of named disks and VM templates in the GA version. When you say that deep re-encrypt will not be supported in the GA release, do you mean just for named disks and VM templates or for VMs as well? Thanks, Miguel
I meant only for named disks and VM templates.
Deep re-encrypt on VMs will be supported in GA release as a Day-2 operation given the VM is powered off.
Sorry for ambiguity in my previous answer.
I meant only for named disks and VM templates.
Deep re-encrypt of regular VMs will be possible in the GA release as a day-2 operation.
Sorry for ambiguity in my previous reply.
Posting for Nikolay:
I meant only for named disks and VM templates. Deep re-encrypt of regular VMs will be possible in the GA release as a day-2 operation. Sorry for ambiguity in my previous reply.
Thanks, Jeff and Nikolay. Please let me recap to check if I understood correctly:
- Named disk and template encryption will be supported in the BYOE GA release, including shallow recrypt managed at OrgVDC level.
- VM deep recrypt will also be supported in the BYOE GA version as a day 2 operation at VM level.
- Named disk and templates deep recrypt will not be supported in the BYOE GA version.
Correct? Will Named disk and templates deep recrypt be supported in a posterior BYOE release? Or is it technically unfeasible?
Thanks!
Miguel
Hi Miguel, your understanding is correct!
Regarding deep re-crypt of named disks and templates, we plan to introduce this feature in one of the post-GA releases.
Nikolay
Posting for Nikolay:
Hi Miguel, your understanding is correct!
Regarding deep re-crypt of named disks and templates, we plan to introduce this feature in one of the post-GA releases.