Vsan Vc Cluster Config System Vsan Encrypted Cluster Rekey Task
Regenerate the key(s) used by vSAN encryption for the given cluster.
When the key(s) used for vSAN encryption is compromised, this API can be used to renew the key(s). As described in VsanHostEncryptionInfo, vSAN uses Key Encryption Key (KEK) to wrap the Data Encryption Key (DEK). Generally a user will only need to renew the KEK and use new KEK to rewrap the DEK, when KEK is compromised, or on regular basis. This is referred to as "shallow rekey". If user suspects that DEK is also compromised, both KEK and DEK will be renewed. Correspondingly this is called "deep rekey". And as a consequence of DEK change, the data on vSAN datastore will be re-encrypted with the new DEK, so this will be a slow process.
This API does not support switching to a different KMS cluster. When there is a need to switch to a different KMS cluster, call VsanClusterReconfig and specify a different KMS cluster in the configuration kmsProviderId.
To run either shallow rekey or deep rekey for an encrypted vSAN cluster, both Cryptographer.ManageKeys privilege and Host.Inventory.EditCluster privilege are required on the cluster. If it is a shallow rekey, alternatively, caller with Vsan.Cluster.ShallowRekey privilege on the cluster will also be allowed.
The unique identifier for the managed object to which the method attaches; the serialized managed object reference for a request has the form moType/moId
, in this case VsanVcClusterConfigSystem/{moId}
.
The vSphere release schema. The current specification covers vSphere 9.0.0.0 APIs.
"VsanEncryptedClusterRekeyRequestType Object"
The target VC cluster
True to perform a deep rekey. Its default value is false when not provided, which means shallow rekey is performed
This optional parameter is only applicable for deep rekey when it needs to migrate data across cluster for changing vSAN disk format. The default value is 'false' if not specified See VimVsanReconfigSpec.allowReducedRedundancy, ensureObjectAccessibility, and evacuateAllData.
InvalidState: if the vSAN is not enabled or encryption is not enabled on the cluster.
"VimFault Object"
curl -X POST -H 'Authorization: <value>' -H 'Content-Type: application/json' -d '[{}]' https://{api_host}/sdk/vim25/{release}/vsan/VsanVcClusterConfigSystem/{moId}/VsanEncryptedClusterRekey_Task