Data Object - VsanDataEncryptionConfig(vim.vsan.DataEncryptionConfig)

Property of
VimVsanHostDiskMapInfoEx, VimVsanReconfigSpec, VsanConfigInfoEx, VsanDiskFormatConversionSpec
Extends
DynamicData
See also
KeyProviderId
Since
vSAN API 6.6

Data Object Description

The data encryption spec of a vSAN cluster.

Properties

Name Type Description
changing*xsd:boolean

Whether Encryption has finished enabling or disabling operation. When changing is true, then encryption has not finished enabling or disabling. Changing will become false once all hosts currently in the cluster have adapted to the current setting of encryptionEnabled. No guarantee can be made that all data will be encrypted until changing is false and encryptionEnabled is true. This value can be read, but should never be set by API callers Reconfiguring a cluster.
dekGenerationId*xsd:long

DEK generation number of the vSAN cluster. Do not set a generation number for this when reconfiguring vSAN encryption because such a field will be created and managed automatically by vSAN.
encryptionEnabledxsd:boolean

Is data encryption enabled on the cluster? Enabling encryption on a cluster will proceed to encrypt all the hosts. Progress of this can be tracked by the changing flag and the reconfigure task. Disabling encryption, will expose all previously encrypted data in the clear.
eraseDisksBeforeUse*xsd:boolean

Whether disks should be wiped when a normal disk is converted to encrypted disk, or a disk is claimed as encrypted disk, or a disk runs deep rekey. If set true, every sector on a disk will be written with random data. Disk wipe does significantly reduce the possibility of data leak and increases the attacker's cost to reveal sensitive data. The disadvantage of disk wipe is that it takes a long time to finish, so turn it on through UI or API only when necessary. If not set, disk won't be wiped.
hostKeyId*xsd:string

The Id of host key which is used for host core dump encryption. Do not set this value when reconfiguring vSAN encryption, because such key will be created automatically from key management server.
kekId*xsd:string

The KEK Id of the KMS cluster to use. Do not set a key's Id for this when reconfiguring vSAN encryption, because such key will be created automatically from key management server. There is rare use case to put a valid key Id here, for example, when restoring configuration for the cluster from existing running hosts.
kmsProviderId*KeyProviderId

The Id of the KMS cluster to use for vSAN Encryption. Keys will be created on and used from this KMS. This parameter is ignored if encryption is disabled. It must be set to a valid KMS cluster ID if encryption is enabled. When it is already an encrypted vSAN cluster and a different value of kmsProviderId is provided, it will switch to the new KMS cluster as specified by new kmsProviderId. A new KEK Id will also be created in the new KMS cluster and a shallow rekey is performed to use the new KEK. See kmipServers and KmipClusterInfo
Properties inherited from DynamicData
None
*Need not be set
Show WSDL type definition