When using vSAN Encryption, where does the Key Encryption Key persistently reside?
A. in/etc/vmware/ssl on each vSAN host
B. in the KMS server
C. in a VM configuration file on vSAN
D. in the vCenter Server cache
When using vSAN Encryption, where does the Key Encryption Key persistently reside?
B is the correct answer!
According to VMware’s documentation on vSAN Encryption:
“After a vSAN host boots, it will read the values in /etc/vmware/esx.conf and request the KEK and Host Key from the KMS using the KEK Id and Host Key Id respectively, directly from the KMS. ”
https://blogs.vmware.com/virtualblocks/2018/07/13/understanding-ve-booting-w-vc-unavailable/