PrepAway - Latest Free Exam Questions & Answers

Which two statements are true about VM encryption when …

An administrator is using virtual machine encryption in their vSphere 6.5 environment. The Key Management
Server (KMS) has experienced a critical failure.
Which two statements are true about VM encryption when the KMS is not available? (Choose two.)

PrepAway - Latest Free Exam Questions & Answers

A.
VMs will shut down gracefully in the event of a KMS outage as a proactive measure to prevent data theft.

B.
VMs which were running at the time of the KMS failure will continue to run.

C.
If an ESXi host is rebooted, it will be unable to power on encrypted VMs until KMS connectivity is restored.

D.
vCenter Server will continue to distribute encryption keys as long as it is not rebooted while the KMS is
unreachable.

E.
ESXi hosts within the same cluster will share keys with one another while the KMS is unreachable.

12 Comments on “Which two statements are true about VM encryption when …

  1. VSAN says:

    If the KMS is not available, virtual machine operations that require that vCenter Server request the key from the KMS are not possible. That means running virtual machines continue to run, and you can power on, power off, and reconfigure those virtual machines. However, you cannot relocate the virtual machine to a host that does not have the key information.




    1



    0
  2. Wise says:

    Hi,

    C is wrong answer. I can start VM on another host while key server isn’t available.

    vCenter Server distribute KEK to ALL hosts in cluster. I tried encrypt VM, start it HA cluter, turn off key server, turn off host, after that vm have been started on another host successfully. So, C isn’t correct.

    page 127 of securtity guide: “vCenter Server stores the key ID and passes the key to the ESXi host. If the ESXi host is part of a cluster,
    vCenter Server sends the KEK to each host in the cluster.” https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-security-guide.pdf

    B,E – is correct!




    0



    0
    1. Ashish Malik says:

      C is correct

      It says after reboot server will not be able to power on encrypted VMs which is True, What you have tested is to power-on VMs on another host which is not rebooted.




      0



      0
  3. BCi says:

    B,C OK
    A,D,E wrong

    vCenter Server obtains keys from the KMS and pushes them to the ESXi hosts.
    If an ESXi host is rebooted then the keys are unknown to that host anymore, however you can run the affected VMs in another host which is NOT rebooted since the KMS is unavailable.

    If the KMS is not available, virtual machine operations that require that vCenter Server request the key from the KMS are not possible. That means running virtual machines continue to run, and you can power on, power off, and reconfigure those virtual machines. However, you cannot relocate the virtual machine to a host that does not have the key information.

    https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-B3DA9865-A28F-4EFD-ACF4-CBC8813ED110.html




    2



    0
    1. Wise says:

      Why is C correct? I can start VM on another host in a cluster.
      Why is E wrong? “vCenter Server stores the key ID and passes the key to the ESXi host. If the ESXi host is part of a cluster, vCenter Server sends the KEK to each host in the cluster.”




      0



      0
      1. Fonta says:

        Answer C concerns only one ESXi and not the behaviour in case of a migration to another host. If your ESXi is rebooted after your kms failed this esxi won’t have the key anymore.

        Concerning answer E, the ESXi will never share the key, it is the vcenter server role.

        So, it’s B & C.




        0



        0

Leave a Reply