nerdexam
Broadcom-VMware

2V0-622D · Question #29

An administrator is using virtual machine encryption in their vSphere 6.5 environment. The Key Management Server (KMS) has experienced a critical failure. Which two statements are true about VM encryp

The correct answer is B. VMs which were running at the time of the KMS failure will continue to run. C. If an ESXi host is rebooted, it will be unable to power on encrypted VMs until KMS connectivity is. When a KMS fails, VMs already running remain operational because ESXi hosts cache keys in memory, but any host that reboots cannot retrieve keys and therefore cannot power on encrypted VMs.

Section 1 – Configure and Administer vSphere 6.5 Security

Question

An administrator is using virtual machine encryption in their vSphere 6.5 environment. The Key Management Server (KMS) has experienced a critical failure. Which two statements are true about VM encryption when the KMS is not available? (Choose two.)

Options

  • AVMs will shut down gracefully in the event of a KMS outage as a proactive measure to prevent
  • BVMs which were running at the time of the KMS failure will continue to run.
  • CIf an ESXi host is rebooted, it will be unable to power on encrypted VMs until KMS connectivity is
  • DvCenter Server will continue to distribute encryption keys as long as it is not rebooted while the
  • EESXi hosts within the same cluster will share keys with one another while the KMS is

How the community answered

(69 responses)
  • A
    12% (8)
  • B
    62% (43)
  • D
    4% (3)
  • E
    22% (15)

Why each option

When a KMS fails, VMs already running remain operational because ESXi hosts cache keys in memory, but any host that reboots cannot retrieve keys and therefore cannot power on encrypted VMs.

AVMs will shut down gracefully in the event of a KMS outage as a proactive measure to prevent

vSphere VM encryption does not trigger a graceful or automatic shutdown of running VMs during a KMS outage - already-powered-on VMs continue running normally using keys cached in host memory.

BVMs which were running at the time of the KMS failure will continue to run.Correct

ESXi hosts retain decrypted encryption keys in memory for any VM that was powered on before the KMS outage, so those VMs continue running uninterrupted as long as the ESXi host itself is not rebooted.

CIf an ESXi host is rebooted, it will be unable to power on encrypted VMs until KMS connectivity isCorrect

When an ESXi host reboots it must contact the KMS to retrieve the encryption keys required to unlock and power on encrypted VMs - without KMS connectivity, the host cannot obtain those keys and encrypted VMs cannot be started.

DvCenter Server will continue to distribute encryption keys as long as it is not rebooted while the

vCenter Server does not distribute or cache encryption keys - key distribution is handled exclusively by the KMS, and vCenter only brokers the initial trust relationship between ESXi hosts and the KMS.

EESXi hosts within the same cluster will share keys with one another while the KMS is

ESXi hosts do not share encryption keys with peer hosts in the cluster - each host independently retrieves its own keys from the KMS, so a KMS outage affects any host that needs to obtain new keys.

Concept tested: VM encryption behavior during KMS outage

Topics

#VM encryption#KMS failure#key management server#encrypted VM behavior

Community Discussion

No community discussion yet for this question.

Full 2V0-622D Practice