Use a standard key provider to distribute the keys that encrypt the vSAN datastore.
Before you can encrypt the vSAN datastore, you must set up a standard key provider to support encryption. That task includes adding the KMS to vCenter Server and establishing trust with the KMS. vCenter Server provisions encryption keys from the key provider.
The KMS must support the Key Management Interoperability Protocol (KMIP) 1.1 standard. See the vSphere Compatibility Matrices for details.