Nutanix Certified Professional Multicloud Infrastructure (NCP-MCI) Practice Exam

The ability to change the Native KMS to an External KMS on a cluster with software-based Data-at-Rest Encryption enabled is an important feature for enhancing security and managing keys effectively. This option allows users to switch their key management server configuration without having to disable or disrupt existing encryption settings.

When using a Native KMS, encryption keys are managed within the Nutanix infrastructure, but as organizations scale, they may prefer or require external key management solutions for compliance, centralized management, or integration with other security tools. Therefore, migrating from a Native KMS to an External KMS provides flexibility in managing encryption keys while maintaining the security of the data stored in the cluster.

Other options, such as disabling encryption or enabling encryption for a VM while using existing encryption methods, are typically limited once encryption is enabled due to the inherent design to protect data integrity and security. Deploying an additional Native KMS Server does not change the overall key management approach but rather adds redundancy or load balancing to the same internal management system. Thus, changing to an External KMS stands out as the correct and valid action to enhance key management capabilities.