I agree with B as per state below
vCenter Server requests an AES-256 Key Encryption Key (KEK) from the KMS. vCenter Server stores only the ID of the KEK, but not the key itself.
Each ESXi host uses the KEK to encrypt its DEKs, and stores the encrypted DEKs on disk. The host does not store the KEK on disk. If a host reboots, it requests the KEK with the corresponding ID from the KMS. The host can then decrypt its DEKs as needed.
B is the correct answer.
When encryption is enabled on a vSAN cluster:
1. vCenter Server requests an AES-256 KEK from the KMS. vCenter Server stores only the ID of the KEK.
2. vCenter Server sends the KEK ID to all hosts.
3. Hosts use the KEK ID to request the KEK from the KMS.
4. Hosts create a unique DEK for each drive.
5. The vSAN datastore is encrypted with each drive having its own DEK.
6. KMS generates a single Host Key HEK sent to all hosts in the cluster used for encrypting core dumps.
Taken from vSAN 6.7 Deploy and Manage - Encryption Key Generation section
I believe B is correct from the link below "The KEK and Host Key are placed in memory in the key cache. These keys are not persistently stored on the vSAN hosts"
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Darius_Th3D0G
Highly Voted 5 years agoLCOJ
Highly Voted 4 years, 10 months agoRRK06
Most Recent 3 years agoLundu1995
3 years, 3 months agoLazylinux
3 years, 4 months agodiegof1
4 years, 3 months agoAdy_14
4 years, 10 months agoadelbelkis2
4 years, 11 months ago