The vSphere Trust Authority architecture results in some additional recommendations. As you are planning your vSphere Trust Authority strategy, consider interoperability limitations.
Trusted Infrastructure Interoperability
For ESXi versions, the Attestation Service is backward and forward compatible. For example, you can have a cluster of ESXi hosts running ESXi 7.0 in the vSphere Trust Authority Cluster, and upgrade or patch ESXi hosts in the Trusted Cluster to a newer ESXi version. Similarly, you can upgrade or patch the ESXi hosts in the Trust Authority Cluster while keeping the ESXi hosts in the Trusted Cluster at the current version.
You cannot have a cluster function as both a Trust Authority Cluster and a Trusted Cluster. This configuration is not supported.
Trusted Cluster Configuration Limitation
You can configure only one Trusted Cluster per workload vCenter Server. A Trusted Cluster cannot be configured to reference multiple Trust Authority Clusters.
vSphere Trust Authority supports the following:
- vCenter High Availability (vCenter HA)
- VMware vSphere High Availability
- SRM, with the following understanding:
- SRM with array-based replication is supported, if the same vSphere Trust Authority services configuration is available on the recovery side.
- Support is the same as with standard encryption. Hot-add and NFC modes are supported, but not SAN mode. Backups are decrypted. VADP partners have the option of recovering the backed-up virtual machine with the same encryption key as the original virtual machine.
- Virtual machine encryption is fully supported on top of vSAN.
- Encrypted virtual machines cannot be exported to OVF. However, virtual machines can be encrypted while being imported from an OVF.
Currently, vSphere Trust Authority does not support the following:
- vSAN encryption
- First Class Disk (FCD) encryption
- vSphere Replication
- vSphere Host Profiles