2V0-622 · Question #303
Which two encryption keys does the host use when encrypting virtual machine files? (Choose two.)
The correct answer is C. Data Encryption Key (DEK) D. Key Encryption Key (KEK). vSphere VM encryption uses a two-key hierarchy where the DEK encrypts the VM data and the KEK encrypts the DEK, with the KEK sourced from the external KMS.
Question
Which two encryption keys does the host use when encrypting virtual machine files? (Choose two.)
Options
- APublic Key Infrastructure Encryption Key (PKI)
- BMaster Encryption Key (MEK)
- CData Encryption Key (DEK)
- DKey Encryption Key (KEK)
How the community answered
(41 responses)- A2% (1)
- B5% (2)
- C93% (38)
Why each option
vSphere VM encryption uses a two-key hierarchy where the DEK encrypts the VM data and the KEK encrypts the DEK, with the KEK sourced from the external KMS.
Public Key Infrastructure (PKI) describes a certificate authority framework, not a specific encryption key type used in the vSphere VM encryption key hierarchy.
Master Encryption Key (MEK) is not a term defined in the vSphere VM encryption architecture - the two-tier model uses only the DEK and KEK.
The Data Encryption Key (DEK) is a per-VM key generated by the ESXi host that directly encrypts the virtual machine's disk files and other components using AES-256 encryption.
The Key Encryption Key (KEK) is obtained from the external KMS and is used to wrap (encrypt) the DEK - only the encrypted DEK is stored on disk, protecting the DEK if the storage is compromised.
Concept tested: vSphere VM encryption key hierarchy DEK and KEK
Source: https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-54B9FBA2-FDB1-400B-A6AE-81BF3AC9DF97.html
Topics
Community Discussion
No community discussion yet for this question.