You can generate new encryption keys, in case a key expires or becomes compromised.

Before you begin

  • Required privileges:

    • Host > Inventory > EditCluster

    • Cryptographer > ManageKeys

  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.

About this task

The following options are available when you generate new encryption keys for your vSAN cluster.

  • If you generate a new KEK, all hosts in the vSAN cluster receive the new KEK from the KMS. Each host's DEK is re-encrypted with the new KEK.

  • If you choose to re-encrypt all data using new keys, a new KEK and new DEKs are generated. A rolling disk re-format is required to re-encrypt data.

Procedure

  1. Navigate to the vSAN host cluster in the vSphere Web Client.
  2. Click the Configure tab.
  3. Under vSAN, select General.
  4. In the vSAN is turned ON pane, click the Generate new encryption keys button.
  5. To generate a new KEK, click OK. The DEKs will be re-encrypted with the new KEK.
    • To generate a new KEK and new DEKs, and re-encrypt all data in the vSAN cluster, select the following check box: Also re-encrypt all data on the storage using new keys.

    • If your vSAN cluster has limited resources, select the Allow Reduced Redundancy check box. If you allow reduced redundancy, your data might be at risk during the disk reformat operation.