Local Key Manager (LKM) for DaRE

  • 14 March 2023
  • 0 replies


Does the Nutanix Local Key Manager (LKM) satisfy the recommendations/requirements to safely implement the Data at Rest Encryption?

The documentation at: has the warning: "Caution: DO NOT HOST A KEY MANAGEMENT SERVER VM ON THE ENCRYPTED CLUSTER THAT IS USING IT!! Doing so could result in complete data loss if there is a problem with the VM while it is hosted in that cluster." 

I too share this concern, which led me to investigate External Key Managers, but I am wondering how does using the LKM alleviate this risk? Also, as stated in the Nutanix Bible as well as here: 

"Now that Nutanix supports its own native LKM, Nutanix also takes the KEK and wraps it with a 256-bit encryption key called the machine encryption key (MEK). The MEK is distributed among the CVMs in the cluster using a splitting algorithm.Since the MEK is shared, each node can read what other nodes have written. To reconstruct the keys, a majority of the nodes need to be present. We use the equation K = ceiling (n / 2) to determine how many nodes are required for the majority. For example, in an 11-node cluster (n = 11), we would need 6 nodes online to decrypt the data." In the minimum 3-node cluster, which is what I have; that makes K = 2. What happens in the event that 2 of the 3 nodes are unavailable? 

This topic has been closed for comments