First HCI Vendor in the Garnter Magic Quadrant with Native Local Key Manager, New in AOS 5.8

With the release of AOS 5.8 Nutanix brings to market the first native key manager for a HCI that goes beyond using local server management tools. To help reduce cost and complexity Nutanix added a native Local Key Manager(LKM) for all three node clusters and above. The local Key manager runs as a service distributed among all of the nodes. It is easily activated from within prism element, so all customers can enable encryption without yet another silo to manage. Customers looking to simplify their infrastructure operations can now have one click infrastructure for their key manager as well.

Usually External Key Managers (EKM) need to be purchased separately for software and hardware costs. Since the Nutanix LKM is running natively within the controller virtual machine(CVM) it’s highly available and there is not a variable add-on pricing based on the number of nodes. Every time you add a node you know the final cost. There is also peace of mind when you go to upgrade your cluster that the key management services are also going to be upgraded. By both having the infrastructure and management services upgraded in lockstep you’re assured of your security posture and availability by staying in line with the support matrix.

The native LKM service uses the FIPS 140 Crypto module to keep all of the data encryption keys safe. Data is encrypted using a data encryption key(DEK). There is DEK used for every storage container. The DEK is typically then encrypted by a Key Encryption Key (KEK) that is sent to a EKM. Know that Nutanix supports it’s own native LKM, we take the KEK and wraps a 256 bit encryption key called the Machine Encryption Key (MEK). The MEK is distributed amongst all of the CVMs in the cluster using a splitting algorithm. No separate virtual machines are needed to support the native LKM.

Since the MEK is shared, each node can read what others have written. For the keys to reconstruct a majority of the nodes need to be present. We use K = Ceiling(N/2) to determine the majority of nodes. So in a 11 node cluster we would need six nodes to un-encrypt the data where N is 11.

EKM and LKM work flows

Nutanix also provides an easy way to back up your Data Encryption Keys (DEK) from Prism. There will be DEK for each storage container. If a new storage container is created an alert will be generated encouraging administrators to take a backup. The backup is password protected and should be securely stored. With the backup in hand, if catastrophic event happened in your data centre you could replicate the data back and reimport the backup keys to get your environment up and running.


Nutanix Backup for DEK

Is Nutanix Local Key Manager is another step towards enabling security for everyone. Stay safe and if you have questions please drop them in the comments.


  1. […] via First HCI with Native Local Key Manager, New in AOS 5.8 — IT BLOOD PRESSURE […]

Speak Your Mind