The vSphere Trust Authority architecture results in some additional recommendations. As you are planning your vSphere Trust Authority strategy, consider interoperability limitations.
For ESXi versions, the Attestation Service is backward and forward compatible. For example, you can have a cluster of ESXi hosts running ESXi 7.0 in the vSphere Trust Authority Cluster, and upgrade or patch ESXi hosts in the Trusted Cluster to a newer ESXi version. Similarly, you can upgrade or patch the ESXi hosts in the Trust Authority Cluster while keeping the ESXi hosts in the Trusted Cluster at the current version.
You cannot have a cluster function as both a Trust Authority Cluster and a Trusted Cluster. This configuration is not supported.
Trusted Cluster Configuration Limitation
You can configure only one Trust Authority Cluster per Trusted Cluster. That is, a Trusted Cluster cannot be configured to reference multiple Trust Authority Clusters.
Cloning is supported, but encryption keys cannot be changed on clone. This behavior contrasts with standard encryption where keys can be changed when creating a clone. The following operations are not supported by vSphere Trust Authority during cloning of a virtual machine:
- Cloning from an unencrypted virtual machine to an encrypted virtual machine
- Cloning from an encrypted virtual machine and changing the encryption keys
Instant clone is supported by vSphere Trust Authority, but you cannot change encryption keys on clone. This behavior is the same as with standard virtual machine encryption.
vMotion and Cross-vCenter Server vMotion
vSphere Trust Authority fully supports vMotion across ESXi hosts.
Cross-vCenter Server vMotion is supported, but with the following restrictions.
- The required trusted service must be configured on the destination host and the destination host must be attested.
- Encryption cannot change on migration. For example, a disk cannot be encrypted while the virtual machine is migrated to the new storage.
When performing cross-vCenter Server vMotion, vCenter Server checks that the trusted key provider is available on the destination host, and if the host has access to it.
vSphere Trust Authority supports the following:
- vCenter High Availability (vCenter HA)
- VMware vSphere High Availability
- SRM, with the following understanding:
- SRM with array-based replication is supported, if the same vSphere Trust Authority services configuration is available on the recovery side.
- Support is the same as with standard encryption. Hot-add and NFC modes are supported, but not SAN mode. Backups are decrypted. VADP partners have the option of recovering the backed-up virtual machine with the same encryption key as the original virtual machine.
- Virtual machine encryption is fully supported on top of vSAN.
- Encrypted virtual machines cannot be exported to OVF. However, virtual machines can be encrypted while being imported from an OVF.
Currently, vSphere Trust Authority does not support the following:
- vSAN encryption
- First Class Disk (FCD) encryption
- vSphere Replication
- vSphere Host Profiles