Breadcrumbs

Validating with Re-keys

  1. Log in to Nutanix Prism Element as an administrator.

  2. Select Data at Rest Encryption in the Settings page.

  3. In the Cluster Encryption page, select Manage Keys and click the Rekey button under Software Encryption. For more information on validating with Re-keys, see https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v6_7:wc-security-data-encryption-passwords-wc-aos-t.html.


67f8a114-de21-4033-8ff2-0ff17bdfc4d0.png


Re-key

3fbd2070-aa8a-4276-9dc3-958be7048b54.png


Re-key Success

  1. Shut down VMs in the Nutanix cluster.

  2. Stop Nutanix Cluster Services.

  3. Shut down CVMs and Nutanix Hosts in the cluster, wait for 3 minutes for the power to drain, and verify the shutdown status.

  4. Shut down both nodes of KMS Server.

  5. Power on Hosts and verify status(CVMs power on automatically).

  6. Start Nutanix Cluster Services.

  7. Power on the VMs to test the KEK (Key Encryption Key) is not retrieved from the KMS, and the DEK (Data Encryption Key) cannot successfully unlock the Drives to boot the VMs.

  8. Power on and start services for the Active KMS Node and attempt to boot the Nutanix VMs and record behavior.

Verify the events/logs of the KMS cluster to see if the keys are fetched successfully from the new active KMS server.

275488fb-fd6d-4b9f-9cfc-7f908488541f.png


Before Re-key

8d8a4b9a-3b0c-4604-84d9-dd9e47bfd3d1.png


After Re-Key