Consider these guidelines when working with vSAN encryption.
Do not deploy your KMS server on the same vSAN datastore that you plan to encrypt.
Encryption is CPU intensive. AES-NI significantly improves encryption performance. Enable AES-NI in your BIOS.
The witness host in a stretched cluster does not participate in vSAN encryption. Only metadata is stored on the witness host.
Establish a policy regarding core dumps. Core dumps are encrypted because they can contain sensitive information such as keys. If you decrypt a core dump, carefully handle its sensitive information. ESXi core dumps might contain keys for the ESXi host and for the data on it.
Always use a password when you collect a vm-support bundle. You can specify the password when you generate the support bundle from the vSphere Web Client or using the vm-support command.
The password recrypts core dumps that use internal keys to use keys that are based on the password. You can later use the password to decrypt any encrypted core dumps that might be included in the support bundle. Unencrypted core dumps or logs are not affected.
The password that you specify during vm-support bundle creation is not persisted in vSphere components. You are responsible for keeping track of passwords for support bundles.