Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Verify your environment meets these requirements before proceeding. All prerequisites must be satisfied for a successful integration.

Supported hardware

  • CryptoHub 7.0.3.x or later

Supported AOS versions

  • Nutanix AOS 5.5 or later — minimum version for software encryption with an external KMS
  • AOS 7.5 or later — adds Prism Central-managed external KMS; this guide uses the Prism Element path, which applies to all supported AOS versions

Required licensing

  • Nutanix Ultimate license, or equivalent NCI Pro/Ultimate — required to enable data-at-rest encryption
Licensing is the most common blocker for this integration. Confirm that data-at-rest encryption is included in your Nutanix license before proceeding. Contact your Nutanix account team if uncertain.

Supported hypervisors

HypervisorEncryption scope
AHVCluster level only — encryption applies to all containers
ESXiCluster level or container level
Hyper-VCluster level or container level

Required access

  • Administrator access to the CryptoHub web interface (dual-control login)
  • Administrator access to Prism Element for the target cluster
  • SSH access to at least one CVM in the cluster (for optional CLI validation)

Network and firewall

  • Allow TCP port 5696 (standard KMIP port) outbound from every CVM IP address in the cluster to the CryptoHub
  • Bidirectional firewall rules are required between all CVM IP addresses and all CryptoHub IP addresses
  • The CryptoHub must remain reachable from all CVMs at all times during normal operations — no keys are cached on the cluster
TLS inspection or SSL proxies can break mutual TLS handshakes. Exempt traffic between all CVM IP addresses and the CryptoHub from TLS inspection on all network path devices.
After enabling encryption, a cold boot or IPMI reset requires the CryptoHub to be reachable for the cluster to access its data. If the CryptoHub is unavailable during a cold boot, data on the cluster remains inaccessible until connectivity is restored. Never host the CryptoHub on the same cluster you are encrypting.

Certificate requirements

  • Nutanix uses mutual TLS (mTLS) authentication with X.509 certificates in PEM format.
  • Nutanix generates a unique CSR for each CVM node in the cluster. These must be signed by the CryptoHub’s CA.
  • TLS 1.2 is the minimum version enforced.

Software requirements

  • Nutanix cluster with initial setup completed and Prism Element accessible
  • All CVM nodes must be running and healthy before beginning configuration
  • NCC health checks should show no pre-existing errors on the cluster

Important considerations

  • Encryption is irreversible: Once Data-at-Rest Encryption is enabled on a Nutanix cluster, it cannot be disabled. Ensure your CryptoHub deployment is stable and highly available before proceeding.
  • No key caching: Nutanix does not cache encryption keys on the cluster. The CryptoHub must be reachable at all times during normal operations. After a cold boot or IPMI reset, nodes must contact the CryptoHub to unlock drives.
  • Do not host CryptoHub on the encrypted cluster: Running the CryptoHub on VMs within the same Nutanix cluster it encrypts can cause irrecoverable data loss if the cluster requires a cold boot.