You can generate new encryption keys, in case a key expires or becomes compromised.
The following options are available when you generate new encryption keys for your vSAN cluster.
If you generate a new KEK, all hosts in the vSAN cluster receive the new KEK from the KMS. Each host's DEK is re-encrypted with the new KEK.
If you choose to re-encrypt all data using new keys, a new KEK and new DEKs are generated. A rolling disk reformat is required to re-encrypt data.
You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.
- Navigate to the vSAN host cluster in the vSphere Web Client.
- Click the Configure tab.
- Under vSAN, select General.
- In the vSAN is turned ON pane, click the Generate new encryption keys button.
- To generate a new KEK, click OK. The DEKs are re-encrypted with the new KEK.
To generate a new KEK and new DEKs, and re-encrypt all data in the vSAN cluster, select the following check box: Also re-encrypt all data on the storage using new keys.
If your vSAN cluster has limited resources, select the Allow Reduced Redundancy check box. If you allow reduced redundancy, your data might be at risk during the disk reformat operation.