You can generate new encryption keys for data at rest, in case a key expires or becomes compromised.
The following options are available when you generate new encryption keys for your vSAN cluster.
- If you generate a new KEK, all hosts in the vSAN cluster receive the new KEK from the KMS. Each host's DEK is re-encrypted with the new KEK.
- If you choose to re-encrypt all data using new keys, a new KEK and new DEKs are generated. A rolling disk reformat is required to re-encrypt data.
- Required privileges:
- You must have set up a key provider and established a trusted connection between vCenter Server and the KMS.
- Navigate to the vSAN host cluster.
- Click the Configure tab.
- Under vSAN, select Services.
- Click Generate New Encryption Keys.
- To generate a new KEK, click Apply. The DEKs are re-encrypted with the new KEK.
- To generate a new KEK and new DEKs, and re-encrypt all data in the vSAN cluster, select the following check box: Also re-encrypt all data on the storage using new keys.
- If your vSAN cluster has limited resources, select the Allow Reduced Redundancy check box. If you allow reduced redundancy, your data might be at risk during the disk reformat operation.