You enable vSAN Data-At-Rest encryption on the vSAN cluster. Before you can enable vSAN encryption, you must set up a Key Management Server (KMS) and establish a trusted connection between vCenter Server and the KMS.
Do not deploy your KMS server on the same vSAN datastore that you plan to encrypt.
You cannot encrypt a witness host. The witness host in a stretched cluster does not participate in vSAN encryption. Only metadata is stored on the witness host.
For more information, see vSAN Data-At-Rest Encryption in the vSAN product documentation.
- In a Web browser, log in to management domain vCenter Server by using the vSphere Client.
VI-Storage-SDS-CFG-00183Enable encryption on the vSAN cluster.
- In the Hosts and Clusters inventory, select the default vSphere cluster for the management domain.
- Click the Configure tab and under vSAN, click Services.
- Click the Data-At-Rest-Encryption Edit button.
- In the vSAN Services dialog box, enable the toggle switch of Data-At-Rest encryption, select a KMS cluster, and click Apply.