Consider these guidelines when working with data-at-rest encryption.

  • Do not deploy your KMS server on the same vSAN datastore that you plan to encrypt.
  • Encryption is CPU intensive. AES-NI significantly improves encryption performance. Enable AES-NI in your BIOS.
  • The witness host in a stretched cluster does not participate in vSAN encryption. The witness host does not store customer data, only metadata, such as the size and UUID of vSAN object and components.
    Note: If the witness host is an appliance running on another cluster, you can encrypt the metadata stored on it. Enable data-at-rest encryption on the cluster that contains the witness host.
  • Establish a policy regarding core dumps. Core dumps are encrypted because they can contain sensitive information. If you decrypt a core dump, carefully handle its sensitive information. ESXi core dumps might contain keys for the ESXi host and for the data on it.
    • Always use a password when you collect a vm-support bundle. You can specify the password when you generate the support bundle from the vSphere Client or using the vm-support command.

      The password recrypts core dumps that use internal keys to use keys that are based on the password. You can later use the password to decrypt any encrypted core dumps that might be included in the support bundle. Unencrypted core dumps or logs are not affected.

    • The password that you specify during vm-support bundle creation is not persisted in vSphere components. You are responsible for keeping track of passwords for support bundles.