vSAN encryption health may affect LCM upgrades in VMware Cloud Foundation
Article ID: 316863
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
When vSAN encryption is enabled for a vSAN cluster, the relationship with the KMS server must be in a healthy state before attempting any upgrades on the ESXi hosts. If this connection is not healthy, ESXi host upgrades via LCM will ultimately fail and the data on the vsandatastore may be lost.
Environment
VMware Cloud Foundation 2.x
Resolution
Ensure that the relationship with the KMS server is healthy prior to starting any LCM upgrades in VMware Cloud Foundation.
Ensure that a backup key is available in the event that the relationship with the KMS server cannot be restored.
Ensure that there are current backups of all VMs running on the vsandatastore in the event that decryption is not possible.
Ensure that a backup key is available in the event that the relationship with the KMS server cannot be restored.
Ensure that there are current backups of all VMs running on the vsandatastore in the event that decryption is not possible.
Additional Information
Impact/Risks:
All data on the affected vsandatatore may lost if an upgrade is attempted and the relationship to the KMS server is not established and healthy. In lieu of reestablishing a connection to the KMS sever, a backup key can be used to decrpyt the data on the vsandatastore.
All data on the affected vsandatatore may lost if an upgrade is attempted and the relationship to the KMS server is not established and healthy. In lieu of reestablishing a connection to the KMS sever, a backup key can be used to decrpyt the data on the vsandatastore.
Feedback
Yes
No
Powered by
