You can enable encryption when you configure a new vSAN cluster.


  • Required privileges:
    • Host.Inventory.EditCluster
    • Cryptographer.ManageEncryptionPolicy
    • Cryptographer.ManageKMS
    • Cryptographer.ManageKeys
  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.


  1. Navigate to an existing cluster.
  2. Click the Configure tab.
  3. Under vSAN, select Services and click the Encryption Edit button.
  4. On the vSAN Services dialog, enable Encryption, and select a KMS cluster.
    Note: Make sure the Erase disks before use check box is deselected, unless you want to wipe existing data from the storage devices as they are encrypted.
  5. Complete your cluster configuration.


Encryption of data at rest is enabled on the vSAN cluster. vSAN encrypts all data added to the vSAN datastore.