Cloudlink: How to verify KMS configuration and connection status

Summary: Cloudlink: How to verify KMS configuration and connection status using cli on ESXi host and vSphere UI.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

  • When using Cloudlink as KMS in a vSAN environment, KMS configuration on an ESXi host (6.7 or earlier) can be retrieved using the following cli commands 
    esxcli vsan encryption kms list
grep kmip /etc/vmware/esx.conf
  • In vSAN 7.0 and above encryption information is no longer stored in the esx.conf file
  • In those versions KMS information can be retrieved using configstore or with the following esxcli vsan encryption commands
  • Use the following command to retrieve KMS information from configstore 
    configstorecli config current get -c 'vsan' -g 'system' -k 'vsan'
  • Additional esxcli commands for KMS server(s) information:
    • Retrieve vSAN encryption information 
      esxcli vsan encryption info get
    • Retrieve KMS configurations for vSAN encryption 
      esxcli vsan encryption kms list
    • Retrieve host key from the keycache 
      esxcli vsan encryption hostkey get
    • Retrieve encryption certificate file paths on the ESXi hosts 
      esxcli vsan encryption cert path list
    • Retrieve KMS server certificate contents from the ESXi host (similar to 'cat /etc/vmware/ssl/vsan_kms_castore.pem') 
      esxcli vsan encryption cert get
  • Netcat can be used to check connectivity with ESXi host and KMS over port 5696 (default port for KMS) 
    nc -z <kms-ip> 5696
  • To check KMS connection status in vSphere select the vCenter server instance in the inventory list
    • Click the Configure tab and then click Key Providers under Security 

Key Providers in vSphere

  • KMS status for vCenter and hosts can alternatively be checked at the Cluster level in the vSphere inventory list
    • Click the Monitor tab and then click Skyline Health under vSAN
    • In Skyline Health, click Encryption/Data-at-rest Encryption and then vCenter and all hosts are connected to Key Management servers

vCenter and all hosts are connected to key management servers

Additional Information

vSAN Encryption at Rest and In Transit: What is the difference?
https://greatwhitetec.com/tag/encryption/This hyperlink is taking you to a website outside of Dell Technologies.

vSAN Encryption KMS info retrieval
https://greatwhitetec.com/tag/vsan-encryption/This hyperlink is taking you to a website outside of Dell Technologies.

Replacing vCenter Server when vSAN Encryption Enabled
https://knowledge.broadcom.com/external/article?legacyId=76306This hyperlink is taking you to a website outside of Dell Technologies.

Troubleshooting network and TCP/UDP port connectivity issues on ESX/ESXi
https://knowledge.broadcom.com/external/article?legacyId=2020669This hyperlink is taking you to a website outside of Dell Technologies.

Add a Standard Key Provider Using the vSphere Client.
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/vsphere-security-7-0/configuring-and-managing-a-standard-key-provider/set-up-the-key-management-server-cluster/add-a-kms-to-vcenter-server-in-the-vsphere-client.htmlThis hyperlink is taking you to a website outside of Dell Technologies.

Understanding vSAN Encryption - KMS Profile AddressingTroubleshooting vSAN Encryption
https://blogs.vmware.com/virtualblocks/2018/08/06/kms-profile-addressing/This hyperlink is taking you to a website outside of Dell Technologies.

Troubleshooting vSAN Encryption

https://knowledge.broadcom.com/external/article/326769/troubleshooting-vsan-encryption.html

Affected Products

CloudLink

Products

CloudLink SecureVM, VMware ESXi 6.x, VMware ESXi 7.x, VMware VSAN
Article Properties
Article Number: 000192697
Article Type: How To
Last Modified: 06 Jun 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.