> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Before you start

> Verify your environment meets the requirements for integrating Nutanix AOS with CryptoHub via KMIP.

*Verify your environment meets these requirements before proceeding. All prerequisites must be satisfied for a successful integration.*

## Supported hardware

* CryptoHub `7.0.3.x` or later

## Supported AOS versions

* Nutanix AOS **5.5** or later — minimum version for software encryption with an external KMS
* AOS **7.5** or later — adds Prism Central-managed external KMS; this guide uses the Prism Element path, which applies to all supported AOS versions

## Required licensing

* **Nutanix Ultimate** license, or equivalent NCI Pro/Ultimate — required to enable data-at-rest encryption

<Warning>
  Licensing is the most common blocker for this integration. Confirm that data-at-rest encryption is included in your Nutanix license before proceeding. Contact your Nutanix account team if uncertain.
</Warning>

## Supported hypervisors

| Hypervisor  | Encryption scope                                          |
| ----------- | --------------------------------------------------------- |
| **AHV**     | Cluster level only — encryption applies to all containers |
| **ESXi**    | Cluster level or container level                          |
| **Hyper-V** | Cluster level or container level                          |

## Required access

* Administrator access to the CryptoHub web interface (dual-control login)
* Administrator access to Prism Element for the target cluster
* SSH access to at least one CVM in the cluster (for optional CLI validation)

## Network and firewall

* Allow TCP port **5696** (standard KMIP port) outbound from **every CVM IP address** in the cluster to the CryptoHub
* Bidirectional firewall rules are required between all CVM IP addresses and all CryptoHub IP addresses
* The CryptoHub must remain reachable from all CVMs at all times during normal operations — no keys are cached on the cluster

<Warning>
  TLS inspection or SSL proxies can break mutual TLS handshakes. Exempt traffic between all CVM IP addresses and the CryptoHub from TLS inspection on all network path devices.
</Warning>

<Warning>
  After enabling encryption, a cold boot or IPMI reset requires the CryptoHub to be reachable for the cluster to access its data. If the CryptoHub is unavailable during a cold boot, data on the cluster remains inaccessible until connectivity is restored. Never host the CryptoHub on the same cluster you are encrypting.
</Warning>

## Certificate requirements

* Nutanix uses mutual TLS (mTLS) authentication with **X.509 certificates in PEM format**.
* Nutanix generates a unique CSR for each CVM node in the cluster. These must be signed by the CryptoHub's CA.
* **TLS 1.2** is the minimum version enforced.

## Software requirements

* Nutanix cluster with initial setup completed and Prism Element accessible
* All CVM nodes must be running and healthy before beginning configuration
* NCC health checks should show no pre-existing errors on the cluster

## Important considerations

* **Encryption is irreversible**: Once Data-at-Rest Encryption is enabled on a Nutanix cluster, it **cannot be disabled**. Ensure your CryptoHub deployment is stable and highly available before proceeding.
* **No key caching**: Nutanix does not cache encryption keys on the cluster. The CryptoHub must be reachable at all times during normal operations. After a cold boot or IPMI reset, nodes must contact the CryptoHub to unlock drives.
* **Do not host CryptoHub on the encrypted cluster**: Running the CryptoHub as a virtual appliance on VMs within the same Nutanix cluster it encrypts can cause irrecoverable data loss if the cluster requires a cold boot.
