You must follow multiple best practices at all times when you operate your vSAN storage for the management domain.

Table 1. Security Best practices for Securing vSAN

Best Practice


Assign roles for vSAN encryption


The built-in Administrator role has the permission to perform cryptographic operations such as Key Management Server (KMS) functions and encrypting and decrypting virtual machine disks. This role must be reserved for cryptographic administrators where virtual machine encryption or vSAN encryption is required. All other vSphere administrators who do not require cryptographic operations must be assigned the No Cryptography Administrator role.

Plan your vSAN capacity.


Ensure you have sufficient capacity in the management vSAN cluster for the management VMs. You can expand the datastore by adding capacity devices or hosts with capacity devices to the cluster.