vSAN Management API
| Local Properties | ||
Managed Object Types | Data Object Types | All Properties | All Methods |
Data Object - VsanHostEncryptionInfo(vim.vsan.host.EncryptionInfo)
- Property of
- VsanEncryptionHealthSummary, VsanHostConfigInfoEx, VsanPrepareVsanForVcsaSpec, VsanVcPostDeployConfigSpec
- Extends
- DynamicData
- See also
- KmipServerSpec
- Since
- 6.6
Data Object Description
VMware vSAN can encrypt data on the disk. Below terminologies and their acronyms are used to demonstrate how the encryption works. DEK - Data Encryption Key. Keys that are used to encryption data on each disk. Plain DEK will not be persisted by vSAN for safety. Instead, vSAN will encrypt the DEK and store the encrypted format. KEK - Key Encryption Key. A vSAN cluster will maintain a KEK that is used to encrypt the DEKs. vSAN does not persist the KEK. It only persists the Id of the KEK, and retrieve plain KEK from KMS (mentioned below) by providing the KEK's Id. KMS - Key Management Server, where KEK is generated and stored, we support KMS from several popular vendors, such as SafeNet, Thales, Vormetrics, and HyTrust. Encryption configuration for vSAN encryption service. It contains encryption enablement state, KEK Id, KMS information, client certificate, private key, and KMS certificates.Properties
Name | Type | Description |
---|---|---|
changing* | xsd:boolean |
Whether encryption state is currently changing to have all disk groups
matching the state described in enabled.
|
clientCert* | xsd:string |
Client certificate in PEM encoding. Host will use this certificate
for authentication when connecting to KMS.
|
clientKey* | xsd:string |
Client private key. Host will use this key for authentication when
connecting to KMS.
|
dekGenerationId* | xsd:long |
Data Encryption Key (DEK) generation number.
|
dekId* | xsd:string |
UUID of cluster wide Data Encryption Key (DEK).
Since 8.0.0.1 |
dekVerifier* | xsd:string |
Verifier of DEK. It's calculated by encrypting all zero data with DEK.
ESX host can verify DEK correctness using this verifier.
Since 8.0.0.1 |
enabled* | xsd:boolean |
Encryption enablement state.
|
eraseDisksBeforeUse* | xsd:boolean |
Whether disks should be wiped when a normal disk is converted to
encrypted disk, or a disk is claimed as encrypted disk, or a disk
runs deep rekey. If set true, every sector on a disk will be written
with random data. Disk wipe does significantly reduce the possibility
of data leak and increases the attacker's cost to reveal sensitive
data. The disadvantage of disk wipe is that it takes a long time to
finish, so turn it on through UI or API only when necessary. If not
set, disk won't be wiped.
|
hostKeyId* | xsd:string |
The Id of host key which is used for host core dump encryption. This
should be generated by vCenter to call key management server and pass to
ESXi host. ESXi host can later retrieve the key with this ID.
|
iv* | xsd:string |
Initialization vector used by encryption algorithm.
The vector is encoded as a string.
Since 8.0.0.1 |
kekId* | xsd:string |
Unique ID for the KEK in the KMS cluster. It's returned by KMS after
vCenter invoking key generation operation. ESX host can retrieve the key
with this ID.
|
kekVerifier* | xsd:string |
Verifier of KEK. It's calculated by encrypting all zero data with KEK.
ESX host can verify KEK correctness using this verifier.
Since 8.0.0.1 |
kmipServers* | KmipServerSpec[] |
The KMS servers where the global KEK is created and stored. Host will
fetch KEK from the KMS cluster with given KEK ID.
|
kmsServerCerts* | xsd:string[] |
Certificates of Key Management Servers in PEM encoding. Host will use
these certificates to decide if a KMS should be trusted or not.
|
oldDekId* | xsd:string |
UUID of the old cluster wide Data Encryption Key (DEK).
Since 8.0.0.1 |
oldDekVerifier* | xsd:string |
Verifier of old DEK. It's calculated by encrypting all zero data with old DEK.
ESX host can verify old DEK correctness using this verifier.
Since 8.0.0.1 |
oldWrappedDek* | xsd:string |
Old Data Encryption Key (DEK) wrapped by Key Encryption Key (KEK).
Since 8.0.0.1 |
syncing* | xsd:boolean |
Whether the cluster is syncing encryption config when it enables
encryption or does deep rekey.
Since 8.0.0.1 |
wrappedDek* | xsd:string |
Data Encryption Key (DEK) wrapped by Key Encryption Key (KEK).
Since 8.0.0.1 |
Properties inherited from DynamicData | ||
None |
Show WSDL type definition
Top of page | Local Properties | ||
Managed Object Types | Data Object Types | All Properties | All Methods |