A Key Management Server (KMS) cluster provides the keys that you can use to encrypt the Virtual SAN datastore.
Before you can encrypt the Virtual SAN datastore, you must set up a KMS cluster to support encryption. That task includes adding the KMS to vCenter Server and establishing trust with the KMS. vCenter Server provisions encryption keys from the KMS cluster.
The KMS must support the Key Management Interoperability Protocol (KMIP) 1.1 standard.