AOS 7.0 - Support for Azure Key Vault with Nutanix Cloud Clusters.
To help reduce cost and complexity, Nutanix supports a native local key manager (LKM) for all clusters with three or more nodes. The LKM runs as a service distributed among all the nodes. You can activate it easily from Prism Element to enable encryption without adding another silo to manage.
Organizations often purchase external key managers (EKMs) separately for both software and hardware. However, because the Nutanix LKM runs natively in the CVM, it’s highly available with no variable add-on pricing based on the number of nodes. Every time you add a node, you know the final cost. When you upgrade your cluster, the key management services also upgrade. Upgrading your infrastructure and management services in lockstep ensures your security posture and availability by staying in line with the support matrix.
Nutanix software encryption provides native AES-256 data-at-rest encryption, which can interact with any KMIP- or TCG-compliant external key management service (KMS) server (such as Vormetric and SafeNet) including the native Nutanix KMS and Azure Key Vault. Since cloud vendors use proprietary APIs it wasn't till AOS 7.0 and PC 2024.3 that Nutanix supported Azure Key Vault. Nutanix wants to ensure that customers have the choice on how they operate thier enviroments.
The system uses Intel AES-NI acceleration for encryption and decryption processes to minimize any potential performance impacts.
Below is the process needed to enable support for Azure Key Vault.? The steps are listed on the above diagram.
1. An Azure Key Vault is created with a vault access policy. The access policy is tied to an application registration in Azure that will have a secret associated with it. The key that is created must be of type RSA.
2. Prism Central is configured to use Azure Key Vault by running a CLI command using the tenant and client ID from the app registration.
领英推荐
command: mantle_cli kms azure create --name nc2disk --url https://nc2disk.vault.azure.net --key_id ncdisk --tenant_id bb047546-786f-4de1-bd75-24e5b6f79043 --client_id 80084c19-7799-4dab-b360-33c70ee3f3d2 --expiry_date 05/11/2026
? azure: Is the cloud type.
--name: Name of the key vault.
--url: Will be the name of the key vault + .vault.azure.net
--key_id: Name of key created in the key vault.
-- tenant_id? & --client_id: Are form the app registration.
3. Prism Central configures the bare metal nodes to use the Azure key vault. This is done in Prism Central.
4. Once configured in Prism Central,? the configured nodes will talk directly to Azure Key Vault.
Note: The first copy of the data (written locally) is encrypted. The copy sent over the network is also encrypted and stored on a remote node.
Hi Dwanye, in your article you mention Vormetric and SafeNet as KMS. Both have migrated to the CipherTrust Data Security Platform provided by Thales which btw also can perform key management for Azure Key Vaults! It would be interesting to see Nutanix starts supporting the other Cloud providers as well, such as Google key rings, AWS KMS and OCI Vault These providers also support external key management making the sovereign control of encryption keys a better solution for customers for their securing their sensitive data!