vSAN can encrypt data-in-transit across hosts in the vSAN cluster. Data-in-transit encryption protects data as it moves around the vSAN cluster.

vSAN can encrypt data at rest in the vSAN datastore. Data-at-rest encryption protects data on storage devices if a device is removed from the cluster.

vSAN Data-In-Transit Encryption

vSAN can encrypt data-in-transit, as it moves across hosts in a vSAN cluster.

vSAN can encrypt data-in-transit across hosts in the cluster. When data-in-transit encryption is enabled, vSAN encrypts all data and metadata traffic between hosts.

vSAN data-in-transit encryption has the following characteristics:

  • vSAN uses AES-256 bit encryption on data-in-transit.

  • vSAN data-in-transit encryption is not related to data-at-rest-encryption. Each can be enabled or disabled separately.

  • Forward secrecy is enforced for vSAN data-in-transit encryption.

  • Traffic between data hosts and witness hosts is encrypted.

  • File service data traffic between the VDFS proxy and VDFS server is encrypted.

  • vSAN file services inter-host connections are encrypted.

vSAN uses symmetric keys that are generated dynamically and shared between hosts. Hosts dynamically generate an encryption key when they establish a connection, and they use the key to encrypt all traffic between the hosts. A key management server is not required to perform data-in-transit encryption.

Each host is authenticated when it joins the cluster, ensuring connections only to trusted hosts are allowed. When a host is removed from the cluster, its authentication certificate is removed.

vSAN data-in-transit encryption is a cluster-wide setting. When enabled, all data and metadata traffic is encrypted as it transits across hosts.

vSAN Data-At-Rest Encryption

vSAN can encrypt data at rest within a vSAN datastore. vSAN can perform data at rest encryption. Data is encrypted after all other processing, such as deduplication, is performed. Data at rest encryption protects data on storage devices, if a device is removed from the cluster.

Using encryption on a vSAN datastore requires some preparation, and data-at-rest can be enabled with the environment after a cluster is set up.

Data-at-rest encryption requires an external Key Management Server (KMS) or a vSphere Native Key Provider.

An external Key Management Server (KMS), the vCenter Server system, and the ESXi hosts can be used to encrypt data in a vSAN cluster. vCenter Server requests encryption keys from an external KMS. The KMS generates and stores the keys, and vCenter Server obtains the key IDs from the KMS and distributes them to the ESXi hosts.

vCenter Server does not store the KMS keys, but keeps a list of key IDs.

How Data-At-Rest Encryption Works

When data-at-rest encryption is enabled, vSAN encrypts everything in the vSAN datastore. All files are encrypted, so all VMs and their corresponding data are protected. Only administrators with encryption privileges can perform encryption and decryption tasks. vSAN uses encryption keys as follows:

  • vCenter Server requests an AES-256 Key Encryption Key (KEK) from the KMS. vCenter Server stores only the ID of the KEK, but not the key itself.

  • The ESXi host encrypts disk data using the industry standard AES-256 XTS mode. Each disk has a different randomly generated Data Encryption Key (DEK).

  • Each ESXi host uses the KEK to encrypt its DEKs, and stores the encrypted DEKs on disk. The host does not store the KEK on disk. If a host reboots, it requests the KEK with the corresponding ID from the KMS. The host can then decrypt its DEKs as required.

  • A host key is used to encrypt core dumps, not data. All hosts in the same cluster use the same host key. When collecting support bundles, a random key is generated to re-encrypt the core dumps. A password is specified to encrypt the random key.

When a host reboots, it does not mount its disk groups until it receives the KEK. This process can take several minutes or longer to complete. The status of the disk groups can be monitored in the vSAN health service, under Physical disks > Software state health.

Encryption Key Persistence

In vSAN 7.0 Update 3 and later, data-at-rest encryption can continue to function even when the key server is temporarily offline or unavailable. With key persistence enabled, the ESXi hosts can persist the encryption keys even after a reboot.

Each ESXi host obtains the encryption keys initially and retains them in its key cache. If the ESXi host has a Trusted Platform Module (TPM), the encryption keys are persisted in the TPM across reboots. The host does not have to request encryption keys. Encryption operations can continue when the key server is unavailable, because the keys have persisted in the TPM.