An administrator has been tasked with enabling encryption for existing virtual machines on a vSAN cluster.
Which three prerequisites must be satisfied before completing the task? (Choose three.)
An administrator has been tasked with enabling encryption for existing virtual machines on a vSAN cluster.
Which three prerequisites must be satisfied before completing the task? (Choose three.)
To enable encryption for existing virtual machines on a vSAN cluster, the prerequisites are as follows: First, you need to create an encryption storage policy to apply the encryption rules to the VMs. Second, it is essential to verify that a role with the privilege 'Cryptographic operations.Encrypt new' is assigned, as this allows users to encrypt a virtual machine during VM or disk creation. Finally, establishing a trusted connection with the Key Management Server (KMS) is necessary because the KMS securely generates and stores the encryption keys. Therefore, the correct options are creating an encryption storage policy, assigning the necessary cryptographic privilege, and establishing a trusted connection with the KMS.
I think ans ADF Because Before you can create encrypted virtual machines, you must create an encryption storage policy. You create the storage policy once, and assign it each time you encrypt a virtual machine or virtual disk. https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-7DE1ED8F-880B-421E-B27B-5AAA58454AFA.html
Agreed.
I would agree ADF
I don't like this question because it talks about "existing virtual machines". "Encrypt new" is for new VMs: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-660CCB35-847F-46B3-81CA-10DDDB9D7AA9.html Crypto Migrate is to migrate an encrypted VM. The role should be Crypto Operations Encrypt not Encrypt New. A and D are definitely correct, and I know from experience: - A: Well you cannot encrypt a VM until you assign it an encryption policy - D: You cannot encrypt without a KMS (thankfully, now you can use the integrated one, but you still need to establish this) Third choice I'd go with the least incorrect, so I guess it'd be "Encrypt New", Option D... as the other two options are 100% wrong: - You don't need to migrate the VM to encrypt it - VM actually has to be off if you want to encrypt or decrypt. Again, I know from experience. So I'd go with ADF. Still not a fan.
I agree ADF
ADF. https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-5E2C3F74-38C1-44C3-ABC5-C2C9353B9DC4.html
Why BCE cannot be good..my logic is that the question is asking for already existing virtual machines As per below you can enable encrypt data in transit across hosts and no KMS server is required.Host in vsan cluster automatically generate encryption keys when they join cluster which is use to encrypt traffic. https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-10099331-92E7-41AF-BCAA-88DB4B4A4B7B.html
A ,F I agree it is correct answer. But for "Verify if a role with privilege ג€Cryptographic operations.Encrypt newג€ is assigned" I have doubts. according to vmware doc this option: Allows users to encrypt a virtual machine during virtual machine creation or a disk during disk creation. - so this is not valid for already existing VMs There is Cryptographic operations.Encrypt privilege "Allows users to encrypt a virtual machine or a virtual machine disk." and this would be good but this answer is not present. "Cryptographic operations.Migrate" - Allows users to migrate an encrypted virtual machine to a different ESXi host. Supports migration with or without vMotion and storage vMotion. Supports migration to a different vCenter Server instance... Well hesitating there as this may be usefull is users want to perform manula vmotions. Also there is some incorrect wording in answer C - and if this would be more related to power off and then power on operations. But has to verify on exam. I seen that sometimes answers are sligtly diffrent on real exams.