Vsan Vc Cluster Config System Vsan Encrypted Cluster Rekey Task

Vsan Vc Cluster Config System Vsan Encrypted Cluster Rekey Task

Regenerate the key(s) used by vSAN encryption for the given cluster.

When the key(s) used for vSAN encryption is compromised, this API can be used to renew the key(s). As described in VsanHostEncryptionInfo, vSAN uses Key Encryption Key (KEK) to wrap the Data Encryption Key (DEK). Generally a user will only need to renew the KEK and use new KEK to rewrap the DEK, when KEK is compromised, or on regular basis. This is referred to as "shallow rekey". If user suspects that DEK is also compromised, both KEK and DEK will be renewed. Correspondingly this is called "deep rekey". And as a consequence of DEK change, the data on vSAN datastore will be re-encrypted with the new DEK, so this will be a slow process.

This API does not support switching to a different KMS cluster. When there is a need to switch to a different KMS cluster, call VsanClusterReconfig and specify a different KMS cluster in the configuration kmsProviderId.

To run either shallow rekey or deep rekey for an encrypted vSAN cluster, both Cryptographer.ManageKeys privilege and Host.Inventory.EditCluster privilege are required on the cluster. If it is a shallow rekey, alternatively, caller with Vsan.Cluster.ShallowRekey privilege on the cluster will also be allowed.

Request
URI
POST
https://{api_host}/sdk/vim25/{release}/vsan/VsanVcClusterConfigSystem/{moId}/VsanEncryptedClusterRekey_Task
COPY
Path Parameters
string
moId
Required

The unique identifier for the managed object to which the method attaches; the serialized managed object reference for a request has the form moType/moId, in this case VsanVcClusterConfigSystem/{moId}.

string
release
Required

The vSphere release schema. The current specification covers vSphere 9.0.0.0 APIs.


Request Body
VsanEncryptedClusterRekeyRequestType of type(s) application/json
Required
"VsanEncryptedClusterRekeyRequestType Object"
encryptedCluster
Required

The target VC cluster

boolean
deepRekey
Optional

True to perform a deep rekey. Its default value is false when not provided, which means shallow rekey is performed

boolean
allowReducedRedundancy
Optional

This optional parameter is only applicable for deep rekey when it needs to migrate data across cluster for changing vSAN disk format. The default value is 'false' if not specified See VimVsanReconfigSpec.allowReducedRedundancy, ensureObjectAccessibility, and evacuateAllData.

Authentication
This operation uses the following authentication methods.
Responses
200

OK

Returns MoRefTask of type(s) application/json
"MoRefTask Object"

500

InvalidState: if the vSAN is not enabled or encryption is not enabled on the cluster.

Returns VimFault of type(s) application/json
This response body class contains all of the following: InlineVimFault0
"VimFault Object"

Code Samples
COPY
                    curl -X POST -H 'Authorization: <value>' -H 'Content-Type: application/json' -d '[{}]' https://{api_host}/sdk/vim25/{release}/vsan/VsanVcClusterConfigSystem/{moId}/VsanEncryptedClusterRekey_Task