You can enable encryption when you configure a new vSAN cluster.
You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.
- Navigate to an existing cluster in the vSphere Web Client.
- Click the Configure tab.
- Under vSAN, select General and click the Configure vSAN button.
- On the vSAN capabilites page, select the Encryption check box, and select a KMS cluster.
Make sure the Erase disks before use check box is deselected, unless you want to wipe existing data from the storage devices as they are encrypted.
- On the Claim disks page, specify which disks to claim for the vSAN cluster.
- Select a flash device to be used for capacity and click the Claim for capacity tier icon ().
- Select a flash device to be used as cache and click the Claim for cache tier icon ().
- Complete your cluster configuration.
Encryption of data at rest is enabled on the vSAN cluster. vSAN encrypts all data added to the vSAN datastore.