Since AOS 5.5 you can use software encryption to secure data on Nutanix instead of SED drives. To enable encryption, with AOS 5.5 you have to have external Key management system (KMS) to manage encryption keys. With AOS 5.8 release, Nutanix introduced local Key native Management System (Native KMS). Software solution build in Acropolis to help you reduce infrastructure and certificate management complexity by replacing external (hardware based) KMS solutions.
NOTE: external KMS are still supported. As of today (Sep 5, 2018) following external KMS systems are supported:
- Gemalto SafeNet
- Verometric
- IBM SKLM
- Winmagic
- Fornetics
Software-based encryption is supported on:
- cluster level for Nutanix AHV, VMware vSphere and Microsoft Hyper-V
- container level – VMware vSphere and Microsoft Hyper-V
How to enable Nutanix Software encryption with a native key management system.
Requirements:
- AOS 5.8
- at least 3 node cluster
- hypervisors:
- Nutanix AHV
- VMware vSphere
- Microsoft Hyper-V
- encryption licenses
NOTE: As of today (Sep 5, 2018) Nutanix with AHV you can enable software encryption only on an empty cluster (without any Guest VMs).
- Apply encryption License cluster
- To enable software encryption on Nutanix cluster, log in to Prism Element and from the main menu choose Data-at-Rest Encryption. Choose Cluster’s local KMS.
- Save KMS type
- That’s it. Encryption on the cluster has been enabled. Next step will be to backup encryption Keys and store it in a safe place outside of the cluster
Backup encryption keys
Now the system is ready to encrypt the data. You can enable encryption in advance setting of the container
Enable encryption on container
