Nutanix Security Hardening AOS 7.5, Part 2: Cluster Lockdown & Encryption

Part 2 of our AOS 7.5 security series covers locking down cluster access and encrypting data at rest and in transit.

If you haven't read it yet, start with Part 1: CVM, PCVM & AHV Hardening.

Cluster Lockdown Configuration

Cluster lockdown disables password-based SSH authentication and requires public key authentication.

Enable Cluster Lockdown During Cluster Creation

Create a cluster with lockdown mode and custom password:

bash
cluster --password_lockdown_mode=true \
  --cluster_create_password_enforcement=true \
  --cluster_create_security_opts=true \
  --encrypted_password="encrypted_string" \
  --external_access_keys="public_key" create

Create a cluster with full lockdown (no password or SSH key access):

bash
cluster --lockdown_mode=true \
  --cluster_create_password_enforcement=true \
  --cluster_create_security_opts=true create

Configure Cluster Lockdown via Prism Element

  1. Log in to Prism Element as administrator
  2. Click the gear icon → Cluster Lockdown
  3. Deselect Enable Remote Login with Password
  4. Click + New user SSH Key
  5. Enter a name and paste the public key value
  6. Click Save

Data-at-Rest Encryption

AOS 7.5 supports software-based encryption using AES-256 with multiple key management options.

Configure External KMS with Prism Central

First, register the external KMS:

bash
mantle_cli kms kmip create \
  --name my_external_kms \
  --ca_cert_path /path/to/ca.crt \
  --client_cert_path /path/to/client.crt \
  --private_key_path /path/to/client.key \
  --ip_port_vec "10.0.1.50:5696,10.0.1.51:5696"

List configured KMS entries:

bash
mantle_cli kms kmip list

Associate the external KMS with a cluster:

bash
ncli key-management-server change-key-manager-server-type \
  key-manager-server-type=ekm_pc \
  kms-uuids=<kms_uuid>

Update External KMS Configuration

bash
mantle_cli kms kmip update \
  --kms_uuid <kms_uuid> \
  --ca_cert_path /path/to/new-ca.crt \
  --client_cert_path /path/to/new-client.crt \
  --private_key_path /path/to/new-client.key \
  --ip_port_vec "10.0.1.52:5696"

Verify the update:

bash
mantle_cli kms kmip get --kms_uuid <kms_uuid>

Data-in-Transit Encryption

AOS 7.5 supports encrypting data as it moves between CVMs in the cluster.

Enable data-in-transit encryption via Prism Central:

  1. Navigate to Admin CenterSecurity
  2. Select the cluster
  3. Enable Data-in-Transit Encryption

IP Set Based Firewall

AOS 7.5 enables IP set-based firewall by default. This implements strict firewall rules for intra-cluster communication, allowing only trusted CVM and hypervisor IP addresses as sources for RPC and API requests.

This feature is enabled automatically in AOS 6.8 and later.

Summary

With cluster lockdown and encryption configured, your Nutanix infrastructure now has strong access controls and data protection. In Part 3, we cover IAM configuration and troubleshooting.