How to identify the timestamps when the last KMS key was generated

search cancel

How to identify the timestamps when the last KMS key was generated

book

Article ID: 374016

calendar_today

Updated On:

Products

VMware vSAN 7.x VMware vSAN 8.x

Issue/Introduction

This article can be used when vSAN data at rest encryption is in use, and for the purposes of auditing, the customer would like to identify the timestamps at which the last shallow key regeneration was performed.

Environment

VMware vCenter
VMware vSAN 7.x
VMware vSAN 8.x

Resolution

You may use the keywords mentioned below and look for them in the vCenter's vmware-vsan-health-service.log to capture the start and completion time of the KMS key generation.

Keywords/Pattern
Start time: "RekeyEncryptedCluster.*Rekey"
Completion time: "New vsan KEK"

File: (vc) /var/log/vmware/vsan-health/vmware-vsan-health-service.log

Sample log:
YYYY-MM-DDThh:mm:ss INFO vsan-mgmt[xxxxx] [VsanVcClusterConfigSystemImpl::RekeyEncryptedCluster opID=xxxxxxxx] Rekey 'vim.ClusterComputeResource:domain-cX' deepRekey=False (allowReducedRedundancy=False)
YYYY-MM-DDThh:mm:ss INFO vsan-mgmt[xxxxx] [VsanVcClusterConfigSystemImpl::PreTaskAction opID=xxxxxxxx] New vsan KEK id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is used

Feedback

thumb_up Yes

thumb_down No