Nutanix release their own Local Key Manager

As part of the AOS 5.8 release, Nutanix has released their own Local Key Management server (aka Native Key Manager within Nutanix). The positive note here is this offers customers a route to remove the dependency on 3rd Party external Key Management Servers (KMS) for Data-at-Rest encryption (DAR).

Hypervisors Supported

  • AHV, VMware ESXi and Microsoft Hyper-V 2012R2 & 2016

Encryption Granularity

VMware ESXi and Microsoft Hyper-V

  • Encryption can be set at the Cluster level or at the Container level


  • Encryption can be set at the Cluster level upon deployment, this provides a “set & forget” security policy for AHV Encryption

Can encryption be disabled/reverted?

  • No, once encryption is set at a particular level it cannot be disabled

Can encryption be enabled on an existing cluster that already has some user data? 

VMware ESXi and Microsoft Hyper-V

  • Yes. Create a new encrypted Container, migrate data from old unencrypted Containers to the new encrypted Container(s), and after that, delete the old Container(s)


  • Only Cluster level encryption is supported, existing clusters cannot take advantage of SW Encryption, only new AHV clusters can be encrypted

Key Management, other

  • For Self-encrypting Drives (SED) the Native KMS support is planned, no date published
  • Native KMS support will require a minimum of 3-nodes in a cluster. The 1-node and 2-node solutions will require the use of a 3rd party External Key Manager

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s