Solved

Data at Rest Encryption Cold Reboot - Testing

  • 5 May 2017
  • 3 replies
  • 1564 views

Badge +5
Hi,

Have a Nutanix cluster using Vormetric Key Management and SED's.
The test is disconnect the Key mangers from the network - and do a power off reboot to a Nutanix Node.

We expected the machine to come up with ESXi from the SATADOM boot - but there were a CVM also loaded. All of the cluster services were down and the node wasn't functional - but we were surprised to see the CVM has started.
Is this expected behavior? Our understanding was that the CVM was stored on the drives (which should have been locked) or did we just see the SVMBOOT portion of the CVM and it wasn't really all there?

Thanks for any feedback.
Bob
icon

Best answer by bezeddin 6 May 2017, 16:16

satadom houses hypervisor and base config of CVM also svmboot.iso used by CVM to boot
so whenever KMIP disconnected from the box CVM will always able to start
communication between ESXi and CVM boot partition not encrypted
data is only encrypted when they touch SED drives
you can try by unmount the SED drives and mount it to another system
View original

3 replies

Userlevel 4
Badge +17
satadom houses hypervisor and base config of CVM also svmboot.iso used by CVM to boot
so whenever KMIP disconnected from the box CVM will always able to start
communication between ESXi and CVM boot partition not encrypted
data is only encrypted when they touch SED drives
you can try by unmount the SED drives and mount it to another system
Badge +5
Ok - so it sounds like the CVM starting (but not operational) is expected behavior.
Thanks
That is really the validation I was looking for..
Userlevel 7
Badge +35
Great to see you helping the community bezeddin - we are lucky to have you!

Reply