You can use data at rest encryption to protect data in your Virtual SAN cluster.
Virtual SAN can perform data at rest encryption. Data is encrypted after all other processing, such as deduplication, is performed. Data at rest encryption protects data on storage devices, in case a device removed from the cluster.
Using encryption on your Virtual SAN cluster requires some preparation. After your environment is set up, you can enable encryption on your Virtual SAN cluster.
Virtual SAN encryption requires an external Key Management Server (KMS), the vCenter Server system, and your ESXi hosts. vCenter Server requests encryption keys from an external KMS. The KMS generates and stores the keys, and vCenter Server obtains the key IDs from the KMS and distributes them to the ESXi hosts.
vCenter Server does not store the KMS keys, but keeps a list of key IDs.