How to move vSAN encryption to Native Key Provider (NKP).
search cancel

How to move vSAN encryption to Native Key Provider (NKP).

book

Article ID: 392250

calendar_today

Updated On: 03-29-2025

Products

VMware vSAN

Issue/Introduction

How to change the Key Provider in use by vSAN to the vCenter Native Key Provider (NKP). 

Environment

vSAN 8.x

vSAN 7.x 

 

Resolution

1. Deploy and configure the native key provider. 

Configure a vSphere Native Key Provider

2. Make the Native key provider the default KMS. 

Set the Default Key Provider Using the vSphere Client 

3. Change the KMS in use by vSAN from the External KMS to the Native Key Provider (NKP). Under cluster > configure > vSAN services

 

Changing the KMS will perform a shallow rekey operation, NOT a deep rekey operation.  As long as the "Wipe residual data" option is not checked this operation will not impact data availability.