The vSphere Trust Authority architecture results in some additional recommendations. As you are planning your vSphere Trust Authority strategy, consider interoperability limitations.

Trusted Infrastructure Interoperability

For ESXi versions, the Attestation Service is backward and forward compatible. For example, you can have a cluster of ESXi hosts running ESXi 7.0 in the vSphere Trust Authority Cluster, and upgrade or patch ESXi hosts in the Trusted Cluster to a newer ESXi version. Similarly, you can upgrade or patch the ESXi hosts in the Trust Authority Cluster while keeping the ESXi hosts in the Trusted Cluster at the current version.

You cannot have a cluster function as both a Trust Authority Cluster and a Trusted Cluster. This configuration is not supported.

Trusted Cluster Configuration Limitation

You can configure only one Trust Authority Cluster per workload vCenter Server. A Trusted Cluster cannot be configured to reference multiple Trust Authority Clusters.

vSphere Features Supported in vSphere Trust Authority

vSphere Trust Authority supports the following:

  • vCenter High Availability (vCenter HA)
  • VMware vSphere High Availability
  • DRS
  • DPM
  • SRM, with the following understanding:
    • SRM with array-based replication is supported, if the same vSphere Trust Authority services configuration is available on the recovery side.
    • SPPG
  • VADP
    • Support is the same as with standard encryption. Hot-add and NFC modes are supported, but not SAN mode. Backups are decrypted. VADP partners have the option of recovering the backed-up virtual machine with the same encryption key as the original virtual machine.
  • vSAN
    • Virtual machine encryption is fully supported on top of vSAN.
  • OVF
    • Encrypted virtual machines cannot be exported to OVF. However, virtual machines can be encrypted while being imported from an OVF.
  • VVol

vSphere Features Not Supported in vSphere Trust Authority

Currently, vSphere Trust Authority does not support the following:

  • vSAN data-at-rest encryption
  • First Class Disk (FCD) encryption
  • vSphere Replication
  • vSphere Host Profiles