You activate vSAN Data-At-Rest encryption on the vSAN cluster. You can choose Native Key Provider to enable vSAN Encryption or you must set up an external Key Management Server (KMS) and establish a trusted connection between vCenter Server and the KMS.

  • Do not deploy external KMS server on the same vSAN datastore that you plan to encrypt.

  • You cannot encrypt a witness host. The witness host in a stretched cluster does not participate in vSAN encryption. Only metadata is stored on the witness host.

For more information, see vSAN Data-At-Rest Encryption in the vSAN product documentation.

Procedure

  1. In a Web browser, log in to your vCenter Server by using the vSphere Client.​

    Setting

    Value

    URL

    https://management-domain-vcenter-server-fqdn/ui​​​

    User name​

    [email protected]
  2. VMW-vSAN-00183 Activate encryption on the vSAN cluster.
    1. In the Hosts and Clusters inventory, select the vSphere cluster that uses vSAN as storage.
    2. Click the Configure tab and under vSAN, click Services.
    3. Click the Data-At-Rest-Encryption Edit button.
    4. In the vSAN Services dialog box, activate the toggle switch of Data-At-Rest encryption, select a Native Key Provider or external KMS cluster, and click Apply.
    5. Repeat the procedure by selecting the vSphere cluster for the VI workload domain.