Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Add the CryptoHub as the external key management server in Prism Element and upload the signed certificates. Verify each node connection, then enable cluster encryption — this step is irreversible.
Enabling encryption is a one-way operation. Once enabled, encryption cannot be disabled on the cluster. Ensure all certificate uploads and connection tests succeed before proceeding to the final step.

Add the key management server

1
In Prism Element, go to Settings > Data-at-rest Encryption and click Continue Configuration.
2
Click Add New Key Management Server and enter the following:
  • Name: A descriptive identifier (for example, Futurex-CryptoHub-Primary)
  • Address: The IP address or FQDN of the CryptoHub
  • Port: 5696 (default KMIP port; adjust if your CryptoHub uses a custom port)
Click Save.
3
For a high-availability CryptoHub deployment, click Add Key Management Server again and add each additional CryptoHub node as a separate entry. Nutanix treats each entry as an independent KMIP endpoint for failover.

Add the Certificate Authority

1
Click Add New Certificate Authority and enter a descriptive name (for example, Futurex-CryptoHub-CA).
2
Click Upload CA Certificate and select the CA certificate file. Use the cacert.pem exported from CryptoHub, or the Futurex Test Root CA (ECC).cer / Futurex Test Root SSL CA.cer file from the client endpoint zip.
3
Click Save, then click Back.

Upload signed node certificates

Each CVM node requires its own signed certificate. Upload and verify each node individually before enabling encryption.
1
Under the key management server entry you created, click the Manage Certificates link.
This link is blue text displayed below the Actions area — it is not a traditional button and is easy to overlook.
2
Click Upload Files and select the signed certificate PEM file for the first node.
3
Click Submit. The node status changes to Uploaded.
4
Click Test CS (or Test all nodes) to verify the connection.A successful test changes the node status to Verified, confirming that the CVM can authenticate to the CryptoHub and retrieve a test key. A failed test typically indicates a certificate mismatch, a firewall blocking port 5696, or the KMIP service not running on the CryptoHub.
5
Repeat the upload-and-test process for every remaining node in the cluster.
6
Click Back when all nodes show Verified.
A status of Uploaded without a successful test means the certificate was accepted but the connection has not been verified. All nodes must show Verified before you can enable encryption.

Enable encryption

1
Scroll to the bottom of the Data-at-rest Encryption page and click Enable Encryption.
2
In the confirmation dialog, type ENCRYPT exactly as shown and click Encrypt.
The system confirms that encryption is enabled and begins encrypting existing data in the background. Monitor progress using the Recent Tasks dropdown in Prism Element. When complete, the key icon turns golden and displays: Encryption State of Cluster: Software encryption is enabled. Encryption scope by hypervisor:
HypervisorScope
AHVCluster level only (all containers)
ESXiCluster level or container level
Hyper-VCluster level or container level
On ESXi and Hyper-V, each new container requires explicit encryption enablement after the initial cluster-level configuration. On AHV, all containers are covered by the cluster-level setting.