Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Verify the integration using Nutanix command-line tools, NCC health checks, and the CryptoHub key inventory. This page also covers key rotation, troubleshooting, and log file locations.

Verify encryption status with ncli

SSH to any CVM in the cluster and run the following commands to confirm encryption is active and the KMS is configured correctly. Run these commands to check overall encryption status: 
# Check cluster encryption status
ncli data-at-rest-encryption get-status

# List all configured key management servers
ncli key-management-server list

# List containers and confirm "Software Encryption: on"
ncli container list
Run these commands to test the KMIP connection and review certificate test results: 
# Test the KMIP configuration and connectivity
ncli data-at-rest-encryption test-configuration

# Retrieve results of the most recent certificate test
ncli data-at-rest-encryption get-recent-certificate-test-results

Verify keys on the CryptoHub

Log in to the CryptoHub management interface and confirm that new AES-256 symmetric key objects have been created. Nutanix creates Key Encryption Keys (KEKs) on the CryptoHub when encryption is first enabled. In the Generic KMIP service on the CryptoHub, check the KMIP activity logs for Create, Get, and Activate operations originating from the Nutanix CVM IP addresses. The key objects appear in the key inventory of the service.

Run NCC health checks

Run the full NCC health check suite to validate KMS configuration, connectivity, and certificate validity. 
# Run all NCC health checks (includes key_manager_checks)
ncc health_checks run_all
The key_manager_checks health check (Nutanix KB-8223) specifically validates KMS configuration and certificate status. Address any FAIL results before considering the integration production-ready.

Rotate encryption keys

Nutanix supports both automatic and on-demand key rotation. To manually rotate encryption keys via the CLI, run the following command: 
ncli data-at-rest-encryption rekey-disks
To rotate keys from Prism Element, navigate to Settings > Data-at-rest Encryption and click Rekey. During re-keying with an external KMS, Nutanix requests new keys from the CryptoHub. Old keys are retained on the CryptoHub until all data is re-encrypted with the new keys.

Troubleshooting

SymptomLikely causeResolution
Node status shows Uploaded but not VerifiedCVM cannot reach CryptoHub on port 5696Verify firewall rules allow TCP 5696 from all CVM IPs to the CryptoHub
Node status remains Uploaded after certificate uploadCertificate was not issued by the uploaded CAConfirm the signed cert was issued by the same CA whose cacert.pem was uploaded to Prism
test-configuration failsKMIP service not running or port blockedVerify the Generic KMIP service is deployed and running on the CryptoHub; check port 5696 connectivity
Keys not visible on CryptoHub after enabling encryptionWrong KMS address or identity mismatchConfirm the KMS address in Prism matches the CryptoHub address; review KMIP activity logs
Cluster data inaccessible after cold bootCryptoHub unreachable at boot timeRestore CryptoHub connectivity; verify the CryptoHub is not hosted on the encrypted cluster
Certificate test fails with TLS errorTLS inspection proxy intercepting trafficExempt CryptoHub IP or FQDN from TLS inspection on all network path devices

Log files

LogLocation on CVMContents
Mantle INFO~/data/logs/mantle.INFONormal KMIP operations and key retrievals
Mantle WARNING~/data/logs/mantle.WARNINGWarning-level key management events
Mantle ERROR~/data/logs/mantle.ERRORErrors in key retrieval or KMIP communication
The Mantle service handles all encryption key management operations on Nutanix. Run genesis status on any CVM to check the status of the encryption service, and cluster status for overall cluster health.