You enable vSAN Data-At-Rest encryption on the vSAN cluster. Before you can enable vSAN encryption, you must set up a Key Management Server (KMS) and establish a trusted connection between vCenter Server and the KMS.

  • Do not deploy your KMS server on the same vSAN datastore that you plan to encrypt.

  • You cannot encrypt a witness host. The witness host in a stretched cluster does not participate in vSAN encryption. Only metadata is stored on the witness host.

For more information, see vSAN Data-At-Rest Encryption in the vSAN product documentation.


  1. In a Web browser, log in to management domain vCenter Server by using the vSphere Client.​





    User name​


  2. VI-Storage-SDS-CFG-00183 Enable encryption on the vSAN cluster.
    1. In the Hosts and Clusters inventory, select the default vSphere cluster for the management domain.
    2. Click the Configure tab and under vSAN, click Services.
    3. Click the Data-At-Rest-Encryption Edit button.
    4. In the vSAN Services dialog box, enable the toggle switch of Data-At-Rest encryption, select a KMS cluster, and click Apply.