You can generate new encryption keys for data at rest, in case a key expires or becomes compromised.

The following options are available when you generate new encryption keys for your vSAN cluster.
  • If you generate a new KEK, all hosts in the vSAN cluster receive the new KEK from the KMS. Each host's DEK is re-encrypted with the new KEK.
  • If you choose to perform a deep rekey, and re-encrypt all data using new keys, a new KEK and new DEKs are generated. A rolling disk reformat is required to re-encrypt data.


  • Required privileges:
    • Host.Inventory.EditCluster
    • Cryptographer.ManageKeys
  • You must have set up a key provider and established a trusted connection between vCenter Server and the KMS.


  1. Navigate to the vSAN host cluster.
  2. Click the Configure tab.
  3. Under vSAN, select Services.
  4. Click Generate New Encryption Keys.
  5. To generate a new KEK, click Apply. The DEKs are re-encrypted with the new KEK.
    • To generate a new KEK and new DEKs, and re-encrypt all data in the vSAN cluster, select the following check box: Also re-encrypt all data on the storage using new keys.
    • If your vSAN cluster has limited resources, select the Allow Reduced Redundancy check box. If you allow reduced redundancy, your data might be at risk during the disk reformat operation.