As part of the AOS 5.8 release, Nutanix has released their own Local Key Management server (aka Native Key Manager within Nutanix). The positive note here is this offers customers a route to remove the dependency on 3rd Party external Key Management Servers (KMS) for Data-at-Rest encryption (DAR).
Hypervisors Supported
- AHV, VMware ESXi and Microsoft Hyper-V 2012R2 & 2016
Encryption Granularity
VMware ESXi and Microsoft Hyper-V
- Encryption can be set at the Cluster level or at the Container level
AHV
- Encryption can be set at the Cluster level upon deployment, this provides a “set & forget” security policy for AHV Encryption
Can encryption be disabled/reverted?
- No, once encryption is set at a particular level it cannot be disabled
Can encryption be enabled on an existing cluster that already has some user data?
VMware ESXi and Microsoft Hyper-V
- Yes. Create a new encrypted Container, migrate data from old unencrypted Containers to the new encrypted Container(s), and after that, delete the old Container(s)
AHV
- Only Cluster level encryption is supported, existing clusters cannot take advantage of SW Encryption, only new AHV clusters can be encrypted
Key Management, other
- For Self-encrypting Drives (SED) the Native KMS support is planned, no date published
- Native KMS support will require a minimum of 3-nodes in a cluster. The 1-node and 2-node solutions will require the use of a 3rd party External Key Manager
Nutanix411 