You can generate new encryption keys, in case a key expires or becomes compromised.
The following options are available when you generate new encryption keys for your Virtual SAN cluster.
- If you generate a new KEK, all hosts in the Virtual SAN cluster receive the new KEK from the KMS. Each host's DEK is re-encrypted with the new KEK.
- If you choose to re-encrypt all data using new keys, a new KEK and new DEKs are generated. A rolling disk re-format is required to re-encrypt data.
- Required privileges:
- You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.
- Navigate to the Virtual SAN host cluster in the vSphere Web Client.
- Click the Configure tab.
- Under vSAN, select General.
- In the vSAN is turned ON pane, click the Generate new encryption keys button.
- To generate a new KEK, click OK. The DEKs will be re-encrypted with the new KEK.
- To generate a new KEK and new DEKs, and re-encrypt all data in the Virtual SAN cluster, select the following check box: Also re-encrypt all data on the storage using new keys.
- If your Virtual SAN cluster has limited resources, select the Allow Reduced Redundancy check box. If you allow reduced redundancy, your data might be at risk during the disk reformat operation.