Breadcrumbs

Configuring on Nutanix AHV

This section provides the step-by-step procedure for integrating ESKM with Nutanix.

  1. Log in to Nutanix Prism Element as an Administrator.

33ced686-f441-4e72-b09f-193c2f2542ec.png


Login Page

  1. Select Data at Rest Encryption in the Settings page. The Data-at-Rest Encryption page appears.

9c37e28c-2ff6-4f0e-a1c0-f5f38d867b59.png


Data-at-Rest Encryption

  1. Click Create Configuration. Clicking the Continue Configuration button, configure it link, or Edit Config button does the same thing: it displays the Data-at-Rest Encryption configuration page.

  2. Select the Key Management Server as An external KMS.

16456f18-890d-4d8f-9b4e-4370c2870338.png


  1. In the Certificate Signing Request Information section, do the following:

    • Enter appropriate credentials for your organization in the Email, Organization, Organizational Unit, Country Code, City, and State fields, and then click the Save CSR Info button.

      4.PNG
      Certificate Signing Information

    • The entered information is saved and used when creating a certificate signing request (CSR). To specify more than one Organizational Unit name, enter a comma-separated list.

    • Click the Download CSRs button, and in the Certificate Signing Requests screen, click the Download CSRs for all nodes to download a file with CSRs for all the nodes or click a Download link to download a file with the CSR for that node.

You can update this information until an SSL certificate for a node is uploaded to the cluster, at which point the information cannot be changed (the fields become read-only) without first deleting the uploaded certificates.

dd84209e-94ea-46e9-b9df-352b885d6a88.png


Download CSRs for all Nodes

After completing step 5, follow the steps below in the ESKM Management Console.

  1. In the Key Management Server section, click the Add New Key Management Server button.

10.PNG


Add New Key Management Server

  1. In the Add a New Key Management Server screen, enter the ESKM’s Name, IP address, and Port Number in the appropriate fields.

b6ee0670-392a-4e6a-a888-a7f0d3d78e21.png


Add Address

The port is where the key management server is configured to listen for the KMIP protocol. The default port number is 5696.

  1. If you have configured multiple key management servers in cluster mode, click the Add Address button to provide the addresses for each ESKM device in the cluster.

  2. Click Save.

69e8b266-9b09-482d-8d10-5c2954dcd8ee.png


Manage Certificates

  1. In the KMS CA Certificates, click Add New Certificate Authority.

a1ca572a-150d-43ab-8dc5-81edbeea1ffd.png


Add New Certificate Authority

  1. In the Add a New Certificate Authority section, click Upload CA Certificate button to upload the CA Certificate. Upload the ESKMCA, which is used to sign the KMIP server and the client certificate.

569b82cc-d0b9-425f-a64a-5729164cfb31.png


Upload CA Certificates

  1. Enter Certificate Authority Name.

b23ce697-4ea1-46dc-adcf-cc062953fca9.png


Certificate Authority Name

  1. Click Save.

ecd4b7dd-4ece-482f-a4df-83d013258b2a.png


Certificate Authority Name

  1. Go to the Key Management Server section. Click the Manage Certificates button.

  2. In the Manage Signed Certificates screen, click Upload Files to upload all the signed certificates in one step.

ee36f503-1358-439e-b21c-e6aef1405d3f.png


Managed Signed Certificates

  1. Click Test all nodes button to test the certificates for all nodes in one step. A status of Verified indicates the test was successful for that node.

If the status shows “unverified,” that means there is a connectivity or certificate issue with the Key Management Server. Make sure all nodes show “Verified” before you enable encryption.

  1. Click Submit. The following window displays.

36628af1-1e48-4580-bc8e-1e4975f79964.png


Uploaded Signed Certificates

  1. When the configuration is complete, click the Enable Encryption button.

b22e5ec3-e33e-4127-a989-fc46934debff.png


Enable Encryption

  1. Enable Encryption window is displayed.

da018dfa-f23a-4efd-a2a0-35187a18a307.png


Data-at-Rest Encryption Screen

To help ensure your data's security, you cannot disable software-only data-at-rest encryption once it is enabled. Nutanix recommends regularly backing up your data, encryption keys, and key management server.


  • Type ENCRYPT and click Encrypt button. The data-at-rest encryption is enabled. To view the status of the encrypted cluster or container, go to Data at Rest Encryption in the Settings menu.

When you enable encryption, a low-priority background task runs to encrypt all the unencrypted data. This task is designed to take advantage of any available CPU space to encrypt the unencrypted data within a reasonable time. If the system is occupied with other workloads, the background task consumes less CPU space. Depending on the amount of data in the cluster, the background task can take 24 to 36 hours to complete.

b0a11a32-291a-4324-936d-06999fc493d4.png


Data-at-Rest Encryption Screen - Encrpyting Cluster

Once the task to encrypt a cluster begins, you cannot cancel the operation. Even if you stop and restart the cluster, the system resumes the operation.

For changing the Key Encryption Keys, see https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v6_10:wc-security-data-encryption-passwords-wc-aos-t.html#ntask_gjp_mks_gq.