When using a real KMS, the guidance would always be to have the KMS appliance VM hosted on a server outside a vSAN cluster that you are encrypting.
Is there confirmation that when using the Native Key Provider, this guidance no longer holds? I.e. I can now use the vSAN cluster’s vCenter to provide the NKP to encrypt that same cluster?
I did cold boot a node (the one with the VCSA) in an NKP-encrypted cluster, which came back up without issue.
Tx,
Ed
you are correct, for the NKP this is different, mainly as the NKP is not a KMS, so the dependency is completely different 🙂
you are correct, for the NKP this is different, mainly as the NKP is not a KMS, so the dependency is completely different 🙂
For same reasons, is it correct to expect that it is also supported without issue for a stretched cluster then?
Hi,
I have a question about Configuring and Managing vSphere Native Key Provider.
Before we configure the Native Key Provider in the vCenter server, whether TPM 2.0 needs to be enabled on the ESXi server?
I can't find this information in bellow documentation:
AFAIK TPM is not a requirement for the Native Key provider. If you have TPM it will use it though and it is recommended from a security point of view.
OK, thanks for your information!
But if we enable TPM 2.0 on the ESXi server, do we disconnect and reconnect the host again from the vCenter Server and then configure NKP?
I have never gone through that process unfortunately, but I would think that vCenter picks it up automatically after you enable it and reboot the host. The host will report the hardware normally.
@ggovek wrote:
Hi,
I have a question about Configuring and Managing vSphere Native Key Provider.
Before we configure the Native Key Provider in the vCenter server, whether TPM 2.0 needs to be enabled on the ESXi server?
I can't find this information in bellow documentation:
Just was pointed to this page: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-54B9FBA2-FDB1-400...
it indeed states that TPM is not a requirement. Have also asked to get it posted on the page you mentioned ggovek.
Hello
if we don't use TPM on the ESXi hosts and they lose access to the vcenter server, can they still recover?