Data at rest Flashcards
What are different states of a SED drive
Locked - The drive was password protected but when power is cut off the drive enters this state
Protected - Drive is password protected
Unprotected - Factor default config, all passwords are set to MSID from factory
How is KEK is securely stored in mantle and how many nodes should be up in the cluster for sw encryption to read the data
Master key is used to store the kek in encrypted form, master key is split into equal pieces using shamir algorithm and we need atleast N-1 nodes in N node cluster to form the master key
How is trust setup between KMS and CVM
Each CVM generates CSR file with its uuid, this CSR will be signed by the KMS. This signed cert will be uploaded in Prism in order to authenticate to the KMS server. This is one part of trust, other part is to import the CA certificate of the KMS certificate this will allow us to verify the authenticity of the KMS server certificate for mutual TLS.
Where are the basic information required to create CSR is stored
Zookeeper stores the csr signing information at certification_signing_info zknode
Where are the generated CSRs stored in the system
The full CSR contents is stored in zookeeper under /appliance/logical/certs//CSR
The zknode where the above is stored under each node’s node_list in svm_certificate_signing_request_zkpath
In the CVM /home/nutanix/certs/ directory
Where is the signed certificate stored for a CVM
In CVM under /home/nutanix/certs/appliance.logical.certs.NODE_UUID.svm_certs.KMS_UUID.cert00000X
The contents of the cert is stored in zknode /appliance/logical/certs/NODE_UUID/svm_certs/KMS_UUID/cert0000xx
The zknode location used above will be stored in digital_certificate_map_list.digital_certificate_zkpath node under node_list parameter
Where is the KMS CA cert is stored
In ZK node /appliance/logical/CA/_CA
In CVM under /home/nutanix/certs/appliance.logical.certs.CA_certs.
What curator counter do you use to track the encryption progress
ContainerNumExtentGroupsUnencrypted
ContainerNumOplogEntriesUnencrypted
If svm.key is lost for a CVM that has been working well so far with KMS how do you regenerate a new certificate
CSR is stored in zknode which will be downloaded when genesis restarts, take the CSR and get it signed once it is signed then run ncli command to replace the cerificate. Cannot use UI since they have blocked this option.
What is the procedure to add a new KMS standalone server
Download CSR and get it signed by KMS CA, upload the certs in Prism UI, then perform a rekey operation to refresh the KEK’s. Basically once you upload the certs you cannot do any changes to the KMS that’s why we are deleting the certs to delete the KMS
What is the procedure to delete a KMS standalone server or a cluster
First delete all the certs from Manage certs page for the KMS once it is deleted, remove the KMS server from the UI
What is the procedure to change the ip address of the KMS server currently
Need an oncall
How can you confirm if the KEK is successfully updated in all external KMS servers
use mantle_ops –query_ekm print to view all the KEK’s and see if the KMS uuid is visible for all the KEKs
