You can enable encryption when you configure a new vSAN cluster.


  • Required privileges:

    • Host > Inventory > EditCluster

    • Cryptographer > ManageEncryptionPolicy

    • Cryptographer > ManageKMS

    • Cryptographer > ManageKeys

  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.


  1. Navigate to an existing cluster in the vSphere Web Client.
  2. Click the Configure tab.
  3. Under vSAN, select General and click the Configure vSAN button.
  4. On the vSAN capabilites page, select the Encryption check box, and select a KMS cluster.

    Use the Erase disks before use check box to wipe residual data from devices before you enable vSAN encryption. This setting is recommended when encrypting a cluster that contains VM data, to ensure unencrypted data no longer resides on the devices after enabling vSAN encryption. This setting is not necessary for new installations that do not have any VM data on the storage devices.

  5. On the Claim disks page, specify which disks to claim for the vSAN cluster.
    1. Select a flash device to be used for capacity and click the Claim for capacity tier icon ().
    2. Select a flash device to be used as cache and click the Claim for cache tier icon ().
  6. Complete your cluster configuration.


Encryption of data at rest is enabled on the vSAN cluster. vSAN encrypts all data added to the vSAN datastore.