You can enable encryption by editing the configuration parameters of an existing vSAN cluster.


  • Required privileges:
    • Host.Inventory.EditCluster
    • Cryptographer.ManageEncryptionPolicy
    • Cryptographer.ManageKMS
    • Cryptographer.ManageKeys
  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.
  • The cluster's disk-claiming mode must be set to manual.


  1. Navigate to the vSAN host cluster.
  2. Click the Configure tab.
  3. Under vSAN, select Services.
  4. Click the Encryption Edit button.
  5. On the vSAN Services dialog, enable Encryption, and select a KMS cluster.
  6. (Optional) If the storage devices in your cluster contain sensitive data, select Erase Disks Before Use.
    This setting directs vSAN to wipe existing data from the storage devices as they are encrypted. This option can increase the time to process each disk, so do not choose it unless you have unwanted data on the disks.
  7. Click Apply.


A rolling reformat of all disk groups takes places as vSAN encrypts all data in the vSAN datastore.