Nutanix Local Key Manager

  • 10 May 2022
  • 3 replies

Can someone provide a brief explanation of Nutanix local key manager and how it handles the following in ‘???’:

  • key access: access to the management console is restricted to authorized individuals abased on job function.
  • changing / updating keys: encryption keys are updated from the management console, software encryption (rekey button) if necessary.
  • revoking keys: ??? (when does revoking keys happen?)
  • recovery keys: ??? (how do you recover if you have the key backup?)
  • archiving keys: keys are archived (backed up) from the management console, managed keys where you download the key backup by setting up a recovery password to decrypt the backup file. 
  • activity logs: ??? (is there activity logs for keys? If yes, where is this stored and how long is the retention before the activity is overwritten?)

BTW: I have this link already Native Local Key Manager ( but is does not have any details of the 

Thanks in advance.


3 replies

Were you able to find the answers to these questions? I’m particularly interested in recovery in the event of hardware or cluster failure as the LKM is on the same cluster.

Userlevel 5
Badge +6

Hello @wye88 and @whizzard 

Kindly check the below link:


Does the Nutanix Local Key Manager (LKM) satisfy the recommendations/requirements to safely implement the Data at Rest Encryption?
The documentation at: has the warning: "Caution: DO NOT HOST A KEY MANAGEMENT SERVER VM ON THE ENCRYPTED CLUSTER THAT IS USING IT!! Doing so could result in complete data loss if there is a problem with the VM while it is hosted in that cluster." 

I too share this concern, which led me to investigate External Key Managers, but I am wondering how does using the LKM alleviate this risk?
Also, as stated in the Nutanix Bible as well as here: 

"Now that Nutanix supports its own native LKM, Nutanix also takes the KEK and wraps it with a 256-bit encryption key called the machine encryption key (MEK). The MEK is distributed among the CVMs in the cluster using a splitting algorithm.
Since the MEK is shared, each node can read what other nodes have written. To reconstruct the keys, a majority of the nodes need to be present. We use the equation K = ceiling (n / 2) to determine how many nodes are required for the majority. For example, in an 11-node cluster (n = 11), we would need 6 nodes online to decrypt the data."

In the minimum 3-node cluster, which is what I have; that makes K = 2. What happens in the event that 2 of the 3 nodes are unavailable?