You can generate new encryption keys, in case a key expires or becomes compromised.

The following options are available when you generate new encryption keys for your Virtual SAN cluster.
  • If you generate a new KEK, all hosts in the Virtual SAN cluster receive the new KEK from the KMS. Each host's DEK is re-encrypted with the new KEK.
  • If you choose to re-encrypt all data using new keys, a new KEK and new DEKs are generated. A rolling disk re-format is required to re-encrypt data.


  • Required privileges:
    • Host.Inventory.EditCluster
    • Cryptographer.ManageKeys
  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.


  1. Navigate to the Virtual SAN host cluster in the vSphere Web Client.
  2. Click the Configure tab.
  3. Under vSAN, select General.
  4. In the vSAN is turned ON pane, click the Generate new encryption keys button.
  5. To generate a new KEK, click OK. The DEKs will be re-encrypted with the new KEK.
    • To generate a new KEK and new DEKs, and re-encrypt all data in the Virtual SAN cluster, select the following check box: Also re-encrypt all data on the storage using new keys.
    • If your Virtual SAN cluster has limited resources, select the Allow Reduced Redundancy check box. If you allow reduced redundancy, your data might be at risk during the disk reformat operation.