Which two encryption keys does the host use when encrypting virtual machine files? (Choose two.)
A.
Public Key Infrastructure Encryption Key (PKI)
B.
Master Encryption Key (MEK)
C.
Data Encryption Key (DEK)
D.
Key Encryption Key (KEK)
Explanation:
https://pubs.vmware.com/vsphere-65/index.jsp?topic=%2Fcom.vmware.wssdk.pg.doc%
2FPG_VM_Encryption.14.2.html
C,D – OK
■
The ESXi host generates and uses internal keys to encrypt virtual machines and disks. These keys are used as the disk encryption key (DEK) and are XTS-AES-256 keys.
■
The key management server (KMS) sends keys to the vCenter Server upon request. These keys are used as the key encryption key (KEK) and are AES-256 keys. vCenter Server stores only the ID of each KEK, but not the key itself.
■
ESXi hosts use the KEK to encrypt their internal keys, and store only the encrypted internal keys on disk, but not the KEK itself. When an ESXi host reboots, vCenter Server requests the necessary KEKs by sending the corresponding IDs to the KMS, and upon receipt, make the KEKs available to the ESXi host, which can then decrypt its internal keys as needed.
Well said!
Agree, C & D
http://pubs.vmware.com/vsphere-6-5/index.jsp#com.vmware.wssdk.pg.doc/PG_VM_Encryption.14.2.html?path=1_2_0_1_11_0_0#1050296