An administrator is preparing to enable vSAN Data-at-Rest Encryption and must verify that the identity and key provider prerequisites are met before proceeding with the configuration.
Which two requirements must be met? (Choose two.)
A.
OSA requires a trusted KMS identity before encryption can be enabled.
B.
ESA requires Trusted Platform Modules (TPMs).
C.
OSA does not support external KMS integration.
D.
ESA requires a trusted KMS identity before encryption can be enabled.
Both vSAN OSA and vSAN ESA require a trusted key provider before Data-at-Rest Encryption can be enabled. With a standard external KMS, the configuration process includes adding the KMS to vCenter and establishing trust with the KMS. vCenter then provisions encryption keys from the key provider. The vSAN encryption workflow uses a Key Encryption Key from the KMS to protect Data Encryption Keys used by ESX hosts. This requirement applies to vSAN encryption generally and is not limited to a specific vSAN architecture. OSA supports external KMS integration, so the option stating that OSA does not support external KMS integration is incorrect. Trusted Platform Modules are not mandatory prerequisites for either OSA or ESA. The vSphere key provider requirements state that TPM is not required for a standard key provider or for vSphere Native Key Provider, although Native Key Provider availability can optionally be restricted to hosts with TPMs. Therefore, the mandatory prerequisite is a trusted KMS identity for both OSA and ESA. Reference topics: vSAN Data-at-Rest Encryption, Standard Key Provider, KMS Trust, OSA and ESA Encryption Support, TPM Requirements.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit