You can enable encryption when you configure a new Virtual SAN cluster.


  • Required privileges:
    • Host.Inventory.EditCluster
    • Cryptographer.ManageEncryptionPolicy
    • Cryptographer.ManageKMS
    • Cryptographer.ManageKeys
  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.


  1. Navigate to an existing cluster in the vSphere Web Client.
  2. Click the Configure tab.
  3. Under vSAN, select General and click the Configure vSAN button.
  4. On the vSAN capabilites page, select the Encryption check box, and select a KMS cluster.
    Note: Make sure the Erase disks before use check box is deselected, unless you want to wipe existing data from the storage devices as they are encrypted.
  5. On the Claim disks page, specify which disks to claim for the Virtual SAN cluster.
    1. Select a flash device to be used for capacity and click the Claim for capacity tier icon ().
    2. Select a flash device to be used as cache and click the Claim for cache tier icon ().
  6. Complete your cluster configuration.


Encryption of data at rest is enabled on the Virtual SAN cluster. Virtual SAN encrypts all data added to the Virtual SAN datastore.