In the previous blog post we discussed about the KMS server registration process with vCenter
In part-3 we are going to proceed with process of enabling encryption on vSAN cluster.
Enable Encryption on vSAN cluster:
- Host → Inventory → EditCluster
- Cryptographer → ManageEncryptionPolicy
- Cryptographer → ManageKMS
- Cryptographer → ManageKeys
You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.
The cluster’s disk-claiming mode must be set to manual.
You cannot enable encryption without KMS server. As we have added the KMS server we can navigate to vSAN Cluster ⇒ Configure ⇒ General and click on edit to modify cluster settings
Click on encryption and select KMS server. As in my case I have added the KMS server, it automatically detect HyTrust. Click on OK to proceed
This operation will start rolling reformat (evacuate, format, restore) of all the disk groups and run for long time. Make sure you have enough space in vsan datastore and disks threshold level is not reached otherwise this operation will fail saying “Not enough resources”
Clearly, resync will start and parallelly run with the operation. Here we can see that convert disk format operation has been executed with rolling reformat & upgrade. This process is time consuming process based on the hosts & storage available in the cluster
you can see the current status of the task in general tab ⇒ disk format version
Once the disk groups upgrade will complete we have health test run in vSAN Health. Rerun the vSAN health checks post encryption completion and see if all the health tests are passed. In my scenario all looks green
All the hosts are communicating with KMS server and executing the KEK retrieval process
This ends “Deploying and configuring HyTrust server in vSAN” series. If you again want to go through the series below are the direct links:
If you like this blog post, please feel free to share with your friends on social media.
Thanks for reading!!