You can enable data-at-rest encryption by editing the configuration parameters of an existing vSAN cluster.


  • Required privileges:
    • Host.Inventory.EditCluster
    • Cryptographer.ManageEncryptionPolicy
    • Cryptographer.ManageKMS
    • Cryptographer.ManageKeys
  • You must have configured a standard key provider and established a trusted connection between vCenter Server and the KMS.
  • The cluster's disk-claiming mode must be set to manual.


  1. Navigate to the vSAN host cluster.
  2. Click the Configure tab.
  3. Under vSAN, select Services.
  4. Click the Encryption Edit button.
  5. On the vSAN Services dialog, enable Encryption, and select a KMS cluster or key provider.
  6. (Optional) If the storage devices in your cluster contain sensitive data, select Wipe residual data.
    This setting directs vSAN to erase existing data from the storage devices as they are encrypted. This option can increase the time to process each disk, so do not choose it unless you have unwanted data on the disks.
  7. Click Apply.


A rolling reformat of all disk groups takes places as vSAN encrypts all data in the vSAN datastore.