Query Crypto Key In-Use Status
Sometimes it is useful to determine key status, for example whether a key is available on vCenter Server, which virtual machines and ESXi hosts are using it, and if third party applications reference it.
As of vSphere 6.7 Update 2, the queryCryptoKeyStatus method is available to check use of a KMS key, such as if vCenter Server can access the key, if the key is being used by some virtual machines, or as a host key. The first parameter is a key ID or an array of key IDs to query. The second parameter is a bitmap defining items to check:
- 0x01 - ask if key data is available to vCenter Server
- 0x02 - query which virtual machines use this key
- 0x04 - check the ESXi hosts using this as a host key
- 0x08 - check third party programs using this key.
Key status results are returned
in a
CryptoManagerKmip::CryptoKeyStatus data object, called
keyStatusArray in the code below. If your program
queried multiple keys, an array of results is returned.
The queryCryptoKeyStatus method and its returned data object are new in vSphere 6.7 U2, so it does not work in earlier releases.
CryptoManagerKmipCryptoKeyStatus[] keyStatusArray =
vimPort.queryCryptoKeyStatus(cryptoManager,
[vmKeyId, diskKeyId, srcHostkey, dstHostkey], 15);
for (CryptoManagerKmipCryptoKeyStatus keyStatus : keyStatusArray[]) {
System.out.println("keyId: " + keyStatus.getKeyId);
System.out.println("keyAccessible: " + keyStatus.getKeyAvailable)
System.out.println("reason: " + keyStatus.getReason)
System.out.println("encryptedVMs: " + keyStatus.getEncryptedVMs)
System.out.println("affectedHosts: " + keyStatus.getAffectedHosts)
System.out.println("referencedByTags: " + keyStatus.getReferencedByTags)
}
The
keyAccessible means the key is available on vCenter
Server. The
reason is either valid, or indicates why the key is not
available. The
encryptedVMs is an array of virtual machine MoRefs, and
affectedHosts is an array of MoRefs to ESXi hosts. The
referencedByTags field gives names of third party
applications using the key.