Starting with vSphere 7.0, you can use the vSphere encryption technology to protect FCD virtual disks that back persistent volumes.

Using encryption in your vSphere environment requires some preparation, and includes setting up a trusted connection between vCenter Server and a key provider. vCenter Server can then retrieve keys from the key provider as needed. For information about components that participate in the vSphere encryption process, see vSphere Virtual Machine Encryption Components in the vSphere Security documentation.


  1. Set up the key provider in your vSphere environment.
  2. Encrypt all node VMs on the Kubernetes cluster.
    Use the vSphere Client to perform this step.
    1. Navigate to a node VM.
    2. From the right-click menu, select VM Policies > Edit VM Storage Policies.
    3. From the VM storage policy drop-down menu, select VM Encryption Policy and click OK.
      To expedite the encryption process of the node VMs, you can encrypt only the VM home.
  3. Create encrypted persistent volumes in the Kubernetes cluster with the vSphere CSI setup.
    1. Create a StorageClass that references the VM Encryption Storage Policy.
      Use the following YAML file as an example.
      kind: StorageClass
        name: encryption
        storagePolicyName: "VM Encryption Policy"
        datastore: vsanDatastore
    2. Use the PersistentVolumeClaim to provision the persistent volume.
      The PersistentVolumeClaim must include the name of the encryption storage class in the storageClassName field.