Start-VsanEncryptionConfiguration
This cmdlet starts an encryption configuration on a vSAN cluster.The encryption configuration includes the following actions: - Activate or deactivate the encryption- Change the key provider- Perform a deep rekey- Perform a shallow rekey
Syntax
-Cluster
< Cluster[] >
[-AllowReducedRedundancy
< Boolean > ]
[-DeepRekey
]
[-Server
< VIServer[] > ]
[CommonParameters]
Parameters
| Required | Parameter Name | Type | Position | Features | Description |
|---|---|---|---|---|---|
| required
|
Cluster | Cluster[] | named |
|
Specifies the vSAN cluster on which you want to start the encryption configuration of the vSAN objects. |
| optional | AllowReducedRedundancy | Boolean | named |
|
This optional parameter is applicable to specific vSAN cluster reconfigure operations that need to migrate data for changing the vSAN disk format across the cluster. When specified, the process might move less data to ensure storage object accessibility, and some objects might be kept at "reduced redundancy" state, which means at a higher risk in case of a hardware failure during the migration process. The default value is $false. |
| optional | DeepRekey | SwitchParameter | named |
|
Specifies that you want to perform a deep rekey operation. When a deep rekey operation runs, all disks are re-encrypted with new data encryption keys. The deep rekey operation takes long time to finish. |
| optional | Server | VIServer[] | named |
|
Specifies the vCenter Server systems on which you want to run the cmdlet. If no value is provided or $null value is passed to this parameter, the command runs on the default servers. For more information about default servers, see the description of the Connect-VIServer cmdlet. |
-Cluster
< Cluster[] >
[-AllowReducedRedundancy
< Boolean > ]
[-EncryptionEnabled
< Boolean > ]
[-EraseDisksBeforeUse
< Boolean > ]
[-KeyProvider
< KeyProvider > ]
[-Server
< VIServer[] > ]
[CommonParameters]
Parameters
| Required | Parameter Name | Type | Position | Features | Description |
|---|---|---|---|---|---|
| required
|
Cluster | Cluster[] | named |
|
Specifies the vSAN cluster on which you want to start the encryption configuration of the vSAN objects. |
| optional | AllowReducedRedundancy | Boolean | named |
|
This optional parameter is applicable to specific vSAN cluster reconfigure operations that need to migrate data for changing the vSAN disk format across the cluster. When specified, the process might move less data to ensure storage object accessibility, and some objects might be kept at "reduced redundancy" state, which means at a higher risk in case of a hardware failure during the migration process. The default value is $false. |
| optional | EncryptionEnabled | Boolean | named |
|
Specifies whether you want to activate or deactivate the encryption. |
| optional | EraseDisksBeforeUse | Boolean | named |
|
Specifies whether the disk should be formatted when a normal disk is converted to an encrypted disk, it is claimed as encrypted disk, or it runs deep rekey. If the value of this parameter is $true, every sector on the disk is written with random data. Disk cleanup reduces the possibility of data leak and increases the potential intruder's cost to reveal sensitive data. Turn the disk cleanup on only when necessary, as it takes long time to finish. If the value of this parameter is $false, the disk will not be formatted. |
| optional | KeyProvider | KeyProvider | named |
|
Specifies the key provider you want to use for the encryption. |
| optional | Server | VIServer[] | named |
|
Specifies the vCenter Server systems on which you want to run the cmdlet. If no value is provided or $null value is passed to this parameter, the command runs on the default servers. For more information about default servers, see the description of the Connect-VIServer cmdlet. |
-Cluster
< Cluster[] >
[-AllowReducedRedundancy
< Boolean > ]
[-Server
< VIServer[] > ]
[-ShallowRekey
]
[CommonParameters]
Parameters
| Required | Parameter Name | Type | Position | Features | Description |
|---|---|---|---|---|---|
| required
|
Cluster | Cluster[] | named |
|
Specifies the vSAN cluster on which you want to start the encryption configuration of the vSAN objects. |
| optional | AllowReducedRedundancy | Boolean | named |
|
This optional parameter is applicable to specific vSAN cluster reconfigure operations that need to migrate data for changing the vSAN disk format across the cluster. When specified, the process might move less data to ensure storage object accessibility, and some objects might be kept at "reduced redundancy" state, which means at a higher risk in case of a hardware failure during the migration process. The default value is $false. |
| optional | Server | VIServer[] | named |
|
Specifies the vCenter Server systems on which you want to run the cmdlet. If no value is provided or $null value is passed to this parameter, the command runs on the default servers. For more information about default servers, see the description of the Connect-VIServer cmdlet. |
| optional | ShallowRekey | SwitchParameter | named |
|
Specifies that you want to perform a shallow rekey operation. When a shallow rekey operation runs, only the key encryption key (KEK) is changed and the data encryption keys (DEKs) are rewrapped with new key encryption keys. |
Output
Examples
Example 1
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -EncryptionEnabled $true -KeyProvider 'ThalesCluster'
Enables the encryption on the $vsanCluster vSAN cluster with 'ThalesCluster' as the key provider.
Example 2
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -EncryptionEnabled $false
Deactivates the encryption on the $vsanCluster vSAN cluster.
Example 3
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -DeepRekey
Performs a deep rekey operation on all disks of the $vsanCluster vSAN cluster. All data on the disks is re-encrypted.
Example 4
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -ShallowRekey
Performs a shallow rekey operation on all disks of the $vsanCluster vSAN cluster. All data encryption keys are rewrapped with a new key encryption key. Data on the disks is not re-encrypted.
Related Commands
VsanEncryptionConfiguration
This cmdlet starts an encryption configuration on a vSAN cluster.