< Back
Start-VsanEncryptionConfiguration
Post
NAME Start-VsanEncryptionConfiguration
SYNOPSIS
This cmdlet starts encryption configuration on a vSAN cluster.
SYNTAX
Start-VsanEncryptionConfiguration [-Cluster] <Cluster[]> [-AllowReducedRedundancy <Boolean>] [-DeepRekey] [-Server
<VIServer[]>] [-Confirm] [-WhatIf] [<CommonParameters>]
Start-VsanEncryptionConfiguration [-Cluster] <Cluster[]> [-AllowReducedRedundancy <Boolean>] [-EncryptionEnabled
<Boolean>] [-EraseDisksBeforeUse <Boolean>] [-KmsCluster <KmsCluster>] [-Server <VIServer[]>] [-Confirm] [-WhatIf]
[<CommonParameters>]
Start-VsanEncryptionConfiguration [-Cluster] <Cluster[]> [-AllowReducedRedundancy <Boolean>] [-Server
<VIServer[]>] [-ShallowRekey] [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
This cmdlet starts encryption configuration on a vSAN cluster.
The encryption configuration includes the following actions: - Enable or disable encryption
- Change key provider
- Perform deep rekey
- Perform shallow rekey
PARAMETERS
-AllowReducedRedundancy <Boolean>
This optional parameter is applicable to specific vSAN cluster reconfigure operations that need to migrate
data for changing the vSAN disk format across the cluster. When specified, the process might move less data to
ensure storage object accessibility, and some objects might be kept at "reduced redundancy" state, which means
at a higher risk in case of a hardware failure during the migration process. The default value is $false.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Cluster <Cluster[]>
Specifies the vSAN cluster on which you want to start encryption configuration of the vSAN objects.
Required? true
Position? 1
Default value None
Accept pipeline input? True (ByValue)
Accept wildcard characters? true
-DeepRekey [<SwitchParameter>]
Specifies that you want to perform a deep rekey operation. When a deep rekey operation is running, all disks
are re-encrypted with new data encryption keys. The deep rekey operation takes long time to finish.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-EncryptionEnabled <Boolean>
Specifies whether you want to enable or disable encryption.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-EraseDisksBeforeUse <Boolean>
Specifies whether the disk should be formatted when a normal disk is converted to an encrypted disk, it is
claimed as encrypted disk, or it runs deep rekey. If the value of this parameter is $true, every sector on the
disk is written with random data. Disk cleanup reduces the possibility of data leak and increases the
potential intruder's cost to reveal sensitive data. Turn the disk cleanup on only when necessary, as it takes
long time to finish. If the value of this parameter is $false, the disk will not be formatted.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-KmsCluster <KmsCluster>
Specifies the key provider you want to use for encryption.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? true
-Server <VIServer[]>
Specifies the vCenter Server systems on which you want to run the cmdlet. If no value is given to this
parameter, the command runs on the default servers. For more information about default servers, see the
description of Connect-VIServer.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? true
-ShallowRekey [<SwitchParameter>]
Specifies that you want to perform a shallow rekey operation. When a shallow rekey operation is running, only
the key encryption key (KEK) is changed and the data encryption keys (DEKs) are re-wrapped with new key
encryption keys.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? true
-Confirm [<SwitchParameter>]
If the value is $true, indicates that the cmdlet asks for confirmation before running. If the value is $false,
the cmdlet runs without asking for user confirmation.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Indicates that the cmdlet is run only to display the changes that would be made and actually no objects are
modified.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
The task object to track the operations on clusters
NOTES
-------------------------- Example 1 --------------------------
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -EncryptionEnabled $true -KmsCluster 'ThalesCluster'
Enables encryption on the $vsanCluster vSAN cluster with 'ThalesCluster' as the key provider.
-------------------------- Example 2 --------------------------
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -EncryptionEnabled $false
Disables encryption on the $vsanCluster vSAN cluster.
-------------------------- Example 3 --------------------------
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -DeepRekey
Performs a deep rekey operation on all disks of the $vsanCluster vSAN cluster. All data on the disks is
re-encrypted.
-------------------------- Example 4 --------------------------
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -ShallowRekey
Performs a shallow rekey operation on all disks of the $vsanCluster vSAN cluster. All data encryption keys are
re-wrapped with new key encryption key. Data on the disks is not re-encrypted.
RELATED LINKS
Online Version: https://code.vmware.com/doc/preview?id= ... ation.html
SYNOPSIS
This cmdlet starts encryption configuration on a vSAN cluster.
SYNTAX
Start-VsanEncryptionConfiguration [-Cluster] <Cluster[]> [-AllowReducedRedundancy <Boolean>] [-DeepRekey] [-Server
<VIServer[]>] [-Confirm] [-WhatIf] [<CommonParameters>]
Start-VsanEncryptionConfiguration [-Cluster] <Cluster[]> [-AllowReducedRedundancy <Boolean>] [-EncryptionEnabled
<Boolean>] [-EraseDisksBeforeUse <Boolean>] [-KmsCluster <KmsCluster>] [-Server <VIServer[]>] [-Confirm] [-WhatIf]
[<CommonParameters>]
Start-VsanEncryptionConfiguration [-Cluster] <Cluster[]> [-AllowReducedRedundancy <Boolean>] [-Server
<VIServer[]>] [-ShallowRekey] [-Confirm] [-WhatIf] [<CommonParameters>]
DESCRIPTION
This cmdlet starts encryption configuration on a vSAN cluster.
The encryption configuration includes the following actions: - Enable or disable encryption
- Change key provider
- Perform deep rekey
- Perform shallow rekey
PARAMETERS
-AllowReducedRedundancy <Boolean>
This optional parameter is applicable to specific vSAN cluster reconfigure operations that need to migrate
data for changing the vSAN disk format across the cluster. When specified, the process might move less data to
ensure storage object accessibility, and some objects might be kept at "reduced redundancy" state, which means
at a higher risk in case of a hardware failure during the migration process. The default value is $false.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Cluster <Cluster[]>
Specifies the vSAN cluster on which you want to start encryption configuration of the vSAN objects.
Required? true
Position? 1
Default value None
Accept pipeline input? True (ByValue)
Accept wildcard characters? true
-DeepRekey [<SwitchParameter>]
Specifies that you want to perform a deep rekey operation. When a deep rekey operation is running, all disks
are re-encrypted with new data encryption keys. The deep rekey operation takes long time to finish.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-EncryptionEnabled <Boolean>
Specifies whether you want to enable or disable encryption.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-EraseDisksBeforeUse <Boolean>
Specifies whether the disk should be formatted when a normal disk is converted to an encrypted disk, it is
claimed as encrypted disk, or it runs deep rekey. If the value of this parameter is $true, every sector on the
disk is written with random data. Disk cleanup reduces the possibility of data leak and increases the
potential intruder's cost to reveal sensitive data. Turn the disk cleanup on only when necessary, as it takes
long time to finish. If the value of this parameter is $false, the disk will not be formatted.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-KmsCluster <KmsCluster>
Specifies the key provider you want to use for encryption.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? true
-Server <VIServer[]>
Specifies the vCenter Server systems on which you want to run the cmdlet. If no value is given to this
parameter, the command runs on the default servers. For more information about default servers, see the
description of Connect-VIServer.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? true
-ShallowRekey [<SwitchParameter>]
Specifies that you want to perform a shallow rekey operation. When a shallow rekey operation is running, only
the key encryption key (KEK) is changed and the data encryption keys (DEKs) are re-wrapped with new key
encryption keys.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? true
-Confirm [<SwitchParameter>]
If the value is $true, indicates that the cmdlet asks for confirmation before running. If the value is $false,
the cmdlet runs without asking for user confirmation.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Indicates that the cmdlet is run only to display the changes that would be made and actually no objects are
modified.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
The task object to track the operations on clusters
NOTES
-------------------------- Example 1 --------------------------
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -EncryptionEnabled $true -KmsCluster 'ThalesCluster'
Enables encryption on the $vsanCluster vSAN cluster with 'ThalesCluster' as the key provider.
-------------------------- Example 2 --------------------------
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -EncryptionEnabled $false
Disables encryption on the $vsanCluster vSAN cluster.
-------------------------- Example 3 --------------------------
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -DeepRekey
Performs a deep rekey operation on all disks of the $vsanCluster vSAN cluster. All data on the disks is
re-encrypted.
-------------------------- Example 4 --------------------------
Start-VsanEncryptionConfiguration -Cluster $vsanCluster -ShallowRekey
Performs a shallow rekey operation on all disks of the $vsanCluster vSAN cluster. All data encryption keys are
re-wrapped with new key encryption key. Data on the disks is not re-encrypted.
RELATED LINKS
Online Version: https://code.vmware.com/doc/preview?id= ... ation.html