You can generate new encryption keys, in case a key expires or becomes compromised.
The following options are available when you generate new encryption keys for your
vSAN cluster.
- If you generate a new KEK, all hosts in the vSAN cluster receive the new KEK from the KMS. Each host's DEK is re-encrypted with the new KEK.
- If you choose to re-encrypt all data using new keys, a new KEK and new DEKs are generated. A rolling disk reformat is required to re-encrypt data.
Prerequisites
- Required privileges:
- You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.