Query Crypto Key In-Use Status

Sometimes it is useful to determine key status, for example whether a key is available on vCenter Server, which virtual machines and ESXi hosts are using it, and if third party applications reference it.
As of vSphere 6.7 Update 2, the
queryCryptoKeyStatus
method is available to check use of a KMS key, such as if vCenter Server can access the key, if the key is being used by some virtual machines, or as a host key. The first parameter is a key ID or an array of key IDs to query. The second parameter is a bitmap defining items to check:
  • 0x01 - ask if key data is available to vCenter Server
  • 0x02 - query which virtual machines use this key
  • 0x04 - check the ESXi hosts using this as a host key
  • 0x08 - check third party programs using this key.
Key status results are returned in a
CryptoManagerKmip::CryptoKeyStatus
data object, called
keyStatusArray
in the code below. If your program queried multiple keys, an array of results is returned.
The
queryCryptoKeyStatus
method and its returned data object are new in vSphere 6.7 U2, so it does not work in earlier releases.
The following Java code checks all items above by passing 15, a bitwise OR of the settings above.
CryptoManagerKmipCryptoKeyStatus[] keyStatusArray = vimPort.queryCryptoKeyStatus(cryptoManager, [vmKeyId, diskKeyId, srcHostkey, dstHostkey], 15); for (CryptoManagerKmipCryptoKeyStatus keyStatus : keyStatusArray[]) { System.out.println("keyId: " + keyStatus.getKeyId); System.out.println("keyAccessible: " + keyStatus.getKeyAvailable) System.out.println("reason: " + keyStatus.getReason) System.out.println("encryptedVMs: " + keyStatus.getEncryptedVMs) System.out.println("affectedHosts: " + keyStatus.getAffectedHosts) System.out.println("referencedByTags: " + keyStatus.getReferencedByTags) }
The
keyAccessible
means the key is available on vCenter Server. The
reason
is either valid, or indicates why the key is not available. The
encryptedVMs
is an array of virtual machine MoRefs, and
affectedHosts
is an array of MoRefs to ESXi hosts. The
referencedByTags
field gives names of third party applications using the key.