When you enable data-at-rest encryption, vSAN encrypts everything in the vSAN datastore. All files are encrypted, so all virtual machines and their corresponding data are protected. Only administrators with encryption privileges can perform encryption and decryption tasks.

vSAN uses encryption keys as follows:
  • vCenter Server requests an AES-256 Key Encryption Key (KEK) from the KMS. vCenter Server stores only the ID of the KEK, but not the key itself.
  • The ESXi host encrypts disk data using the industry standard AES-256 XTS mode. Each disk has a different randomly generated Data Encryption Key (DEK).

  • Each ESXi host uses the KEK to encrypt its DEKs, and stores the encrypted DEKs on disk. The host does not store the KEK on disk. If a host reboots, it requests the KEK with the corresponding ID from the KMS. The host can then decrypt its DEKs as needed.
  • A host key is used to encrypt core dumps, not data. All hosts in the same cluster use the same host key. When collecting support bundles, a random key is generated to re-encrypt the core dumps. You can specify a password to encrypt the random key.

When a host reboots, it does not mount its disk groups until it receives the KEK. This process can take several minutes or longer to complete. You can monitor the status of the disk groups in the vSAN health service, under Physical disks > Software state health.

Using vSphere Native Key Provider

vSAN 7.0 Update 2 supports vSphere Native Key Provider. If your environment is set up for vSphere Native Key Provider, you can use it to encrypt virtual machines in your vSAN cluster. For more information, see "Configuring and Managing vSphere Native Key Provider" in vSphere Security.

vSphere Native Key Provider does not require an external Key Management Server (KMS). vCenter Server generates the Key Encryption Key and pushes it to the ESXi hosts. The ESXi hosts then generate Data Encryption Keys.

vSphere Native Key Provider can coexist with an existing key server infrastructure.