You can enable encryption by editing the configuration parameters of an existing vSAN cluster.

Before you begin

  • Required privileges:

    • Host > Inventory > EditCluster

    • Cryptographer > ManageEncryptionPolicy

    • Cryptographer > ManageKMS

    • Cryptographer > ManageKeys

  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.

  • The cluster's disk-claiming mode must be set to manual.

Procedure

  1. Navigate to the vSAN host cluster in the vSphere Web Client.
  2. Click the Configure tab.
  3. Under vSAN, select General.
  4. In the vSAN is turned ON pane, click the Edit button.
  5. On the Edit vSAN settings dialog, check the Encryption check box, and select a KMS cluster.
  6. (Optional) If the storage devices in your cluster contain sensitive data, select the Erase disks before use check box.

    This setting directs vSAN to wipe existing data from the storage devices as they are encrypted.

  7. Click OK.

Results

A rolling reformat of all disk groups takes places as vSAN encrypts all data in the vSAN datastore.