> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure external key management in Prism Element

> Add the CryptoHub as the key management server in Prism Element, upload the signed node certificates and CA certificate, and enable cluster encryption.

*Add the CryptoHub as the external key management server in Prism Element and upload the signed certificates. Verify each node connection, then enable cluster encryption — this step is irreversible.*

<Warning>
  Enabling encryption is a one-way operation. Once enabled, encryption cannot be disabled on the cluster. Ensure all certificate uploads and connection tests succeed before proceeding to the final step.
</Warning>

## Add the key management server

<Steps>
  <Step>
    In Prism Element, go to **Settings** > **Data-at-rest Encryption** and click **Continue Configuration**.
  </Step>

  <Step>
    Click **Add New Key Management Server** and enter the following:

    * **Name**: A descriptive identifier (for example, `Futurex-CryptoHub-Primary`)
    * **Address**: The IP address or FQDN of the CryptoHub
    * **Port**: `5696` (default KMIP port; adjust if your CryptoHub uses a custom port)

    Click **Save**.
  </Step>

  <Step>
    For a high-availability CryptoHub deployment, click **Add Key Management Server** again and add each additional CryptoHub node as a separate entry. Nutanix treats each entry as an independent KMIP endpoint for failover.
  </Step>
</Steps>

## Add the Certificate Authority

<Steps>
  <Step>
    Click **Add New Certificate Authority** and enter a descriptive name (for example, `Futurex-CryptoHub-CA`).
  </Step>

  <Step>
    Click **Upload CA Certificate** and select the CA certificate file. Use the `Futurex Test Root CA (ECC).cer` / `Futurex Test Root SSL CA.cer` file from the client endpoint zip.
  </Step>

  <Step>
    Click **Save**, then click **Back**.
  </Step>
</Steps>

## Upload signed node certificates

Each CVM node requires its own signed certificate. Upload and verify each node individually before enabling encryption.

<Steps>
  <Step>
    Under the key management server entry you created, click the **Manage Certificates** link.

    <Note>
      This link is blue text displayed below the Actions area — it is not a traditional button and is easy to overlook.
    </Note>
  </Step>

  <Step>
    Click **Upload Files** and select the signed certificate PEM file for the first node.
  </Step>

  <Step>
    Click **Submit**. The node status changes to **Uploaded**.
  </Step>

  <Step>
    Click **Test CS** (or **Test all nodes**) to verify the connection.

    A successful test changes the node status to **Verified**, confirming that the CVM can authenticate to the CryptoHub and retrieve a test key. A failed test typically indicates a certificate mismatch, a firewall blocking port 5696, or another configuration issue.
  </Step>

  <Step>
    Repeat the upload-and-test process for every remaining node in the cluster.
  </Step>

  <Step>
    Click **Back** when all nodes show **Verified**.
  </Step>
</Steps>

<Note>
  A status of **Uploaded** without a successful test means the certificate was accepted but the connection has not been verified. All nodes must show **Verified** before you can enable encryption.
</Note>

## Enable encryption

<Steps>
  <Step>
    Scroll to the bottom of the **Data-at-rest Encryption** page and click **Enable Encryption**.
  </Step>

  <Step>
    In the confirmation dialog, type `ENCRYPT` exactly as shown and click **Encrypt**.
  </Step>
</Steps>

The system confirms that encryption is enabled and begins encrypting existing data in the background. Monitor progress using the **Recent Tasks** dropdown in Prism Element. When complete, the key icon turns golden and displays:

*Encryption State of Cluster: Software encryption is enabled.*

**Encryption scope by hypervisor:**

| Hypervisor | Scope                               |
| ---------- | ----------------------------------- |
| AHV        | Cluster level only (all containers) |
| ESXi       | Cluster level or container level    |
| Hyper-V    | Cluster level or container level    |

On ESXi and Hyper-V, each new container requires explicit encryption enablement after the initial cluster-level configuration. On AHV, all containers are covered by the cluster-level setting.
