Nutanix Security Hardening AOS 7.5, Part 2: Cluster Lockdown & Encryption
Part 2 of our AOS 7.5 security series covers locking down cluster access and encrypting data at rest and in transit.
If you haven't read it yet, start with Part 1: CVM, PCVM & AHV Hardening.
Cluster Lockdown Configuration
Cluster lockdown disables password-based SSH authentication and requires public key authentication.
Enable Cluster Lockdown During Cluster Creation
Create a cluster with lockdown mode and custom password:
cluster --password_lockdown_mode=true \
--cluster_create_password_enforcement=true \
--cluster_create_security_opts=true \
--encrypted_password="encrypted_string" \
--external_access_keys="public_key" create
Create a cluster with full lockdown (no password or SSH key access):
cluster --lockdown_mode=true \
--cluster_create_password_enforcement=true \
--cluster_create_security_opts=true create
Configure Cluster Lockdown via Prism Element
- Log in to Prism Element as administrator
- Click the gear icon → Cluster Lockdown
- Deselect Enable Remote Login with Password
- Click + New user SSH Key
- Enter a name and paste the public key value
- Click Save
Data-at-Rest Encryption
AOS 7.5 supports software-based encryption using AES-256 with multiple key management options.
Configure External KMS with Prism Central
First, register the external KMS:
mantle_cli kms kmip create \
--name my_external_kms \
--ca_cert_path /path/to/ca.crt \
--client_cert_path /path/to/client.crt \
--private_key_path /path/to/client.key \
--ip_port_vec "10.0.1.50:5696,10.0.1.51:5696"
List configured KMS entries:
mantle_cli kms kmip list
Associate the external KMS with a cluster:
ncli key-management-server change-key-manager-server-type \
key-manager-server-type=ekm_pc \
kms-uuids=<kms_uuid>
Update External KMS Configuration
mantle_cli kms kmip update \
--kms_uuid <kms_uuid> \
--ca_cert_path /path/to/new-ca.crt \
--client_cert_path /path/to/new-client.crt \
--private_key_path /path/to/new-client.key \
--ip_port_vec "10.0.1.52:5696"
Verify the update:
mantle_cli kms kmip get --kms_uuid <kms_uuid>
Data-in-Transit Encryption
AOS 7.5 supports encrypting data as it moves between CVMs in the cluster.
Enable data-in-transit encryption via Prism Central:
- Navigate to Admin Center → Security
- Select the cluster
- Enable Data-in-Transit Encryption
IP Set Based Firewall
AOS 7.5 enables IP set-based firewall by default. This implements strict firewall rules for intra-cluster communication, allowing only trusted CVM and hypervisor IP addresses as sources for RPC and API requests.
This feature is enabled automatically in AOS 6.8 and later.
Summary
With cluster lockdown and encryption configured, your Nutanix infrastructure now has strong access controls and data protection. In Part 3, we cover IAM configuration and troubleshooting.


