You can enable encryption by editing the configuration parameters of an existing Virtual SAN cluster.


  • Required privileges:
    • Host.Inventory.EditCluster
    • Cryptographer.ManageEncryptionPolicy
    • Cryptographer.ManageKMS
    • Cryptographer.ManageKeys
  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.
  • The cluster's disk-claiming mode must be set to manual.


  1. Navigate to the Virtual SAN host cluster in the vSphere Web Client.
  2. Click the Configure tab.
  3. Under vSAN, select General.
  4. In the vSAN is turned ON pane, click the Edit button.
  5. On the Edit vSAN settings dialog, check the Encryption check box, and select a KMS cluster.
  6. (Optional) If the storage devices in your cluster contain sensitive data, select the Erase disks before use check box.
    This setting directs Virtual SAN to wipe existing data from the storage devices as they are encrypted.
  7. Click OK.


A rolling reformat of all disk groups takes places as Virtual SAN encrypts all data in the Virtual SAN datastore.