VsanDataEncryptionConfig
The data encryption spec of a vSAN cluster.
This structure may be used only with operations rendered under /vsan.
{
"_typeName": "string",
"encryptionEnabled": false,
"kmsProviderId": {
"_typeName": "string",
"id": "string"
},
"kekId": "string",
"hostKeyId": "string",
"dekGenerationId": 0,
"changing": false,
"eraseDisksBeforeUse": false,
"wrappedDek": "string",
"dekId": "string",
"oldWrappedDek": "string",
"oldDekId": "string",
"kekVerifier": "string",
"dekVerifier": "string",
"oldDekVerifier": "string",
"iv": "string",
"syncing": false
}Is data encryption enabled on the cluster? Enabling encryption on a cluster will proceed to encrypt all the hosts.
Progress of this can be tracked by the changing flag and the reconfigure task. Disabling encryption, will expose all previously encrypted data in the clear.
The Id of the KMS cluster to use for vSAN Encryption.
Keys will be created on and used from this KMS. This parameter is ignored if encryption is disabled. It must be set to a valid KMS cluster ID if encryption is enabled. When it is already an encrypted vSAN cluster and a different value of kmsProviderId is provided, it will switch to the new KMS cluster as specified by new kmsProviderId. A new KEK Id will also be created in the new KMS cluster and a shallow rekey is performed to use the new KEK. See kmipServers and KmipClusterInfo
The KEK Id of the KMS cluster to use.
Do not set a key's Id for this when reconfiguring vSAN encryption, because such key will be created automatically from key management server. There is rare use case to put a valid key Id here, for example, when restoring configuration for the cluster from existing running hosts.
The Id of host key which is used for host core dump encryption.
Do not set this value when reconfiguring vSAN encryption, because such key will be created automatically from key management server.
DEK generation number of the vSAN cluster.
Do not set a generation number for this when reconfiguring vSAN encryption because such a field will be created and managed automatically by vSAN.
Whether Encryption has finished enabling or disabling operation.
When changing is true, then encryption has not finished enabling or disabling. Changing will become false once all hosts currently in the cluster have adapted to the current setting of encryptionEnabled. No guarantee can be made that all data will be encrypted until changing is false and encryptionEnabled is true. This value can be read, but should never be set by API callers Reconfiguring a cluster.
Whether disks should be wiped when a normal disk is converted to encrypted disk, or a disk is claimed as encrypted disk, or a disk runs deep rekey.
If set true, every sector on a disk will be written with random data. Disk wipe does significantly reduce the possibility of data leak and increases the attacker's cost to reveal sensitive data. The disadvantage of disk wipe is that it takes a long time to finish, so turn it on through UI or API only when necessary. If not set, disk won't be wiped.
Data Encryption Key (DEK) wrapped by Key Encryption Key (KEK).
UUID of cluster wide Data Encryption Key (DEK).
Old Data Encryption Key (DEK) wrapped by Key Encryption Key (KEK).
UUID of the old cluster wide Data Encryption Key (DEK).
Verifier of KEK.
It's calculated by encrypting all zero data with KEK. ESX host can verify KEK correctness using this verifier.
Verifier of DEK.
It's calculated by encrypting all zero data with DEK. ESX host can verify DEK correctness using this verifier.
Verifier of old DEK.
It's calculated by encrypting all zero data with old DEK. ESX host can verify old DEK correctness using this verifier.
Initialization vector used by encryption algorithm.
The vector is encoded as a string.
Whether the cluster is syncing encryption config when it enables encryption or does deep rekey.