When you enable data-at-rest encryption, vSAN encrypts everything in the vSAN datastore.
- vCenter Server requests an AES-256 Key Encryption Key (KEK) from the KMS. vCenter Server stores only the ID of the KEK, but not the key itself.
The ESXi host encrypts disk data using the industry standard AES-256 XTS mode. Each disk has a different randomly generated Data Encryption Key (DEK).
- Each ESXi host uses the KEK to encrypt its DEKs, and stores the encrypted DEKs on disk. The host does not store the KEK on disk. If a host reboots, it requests the KEK with the corresponding ID from the KMS. The host can then decrypt its DEKs as needed.
- A host key is used to encrypt core dumps, not data. All hosts in the same cluster use the same host key. When collecting support bundles, a random key is generated to re-encrypt the core dumps. You can specify a password to encrypt the random key.
When a host reboots, it does not mount its disk groups until it receives the KEK. This process can take several minutes or longer to complete. You can monitor the status of the disk groups in the vSAN health service, under Physical disks > Software state health.
Encryption Key Persistence
In vSAN 7.0 Update 3 and later, data-at-rest encryption can continue to function even when the key server is temporarily offline or unavailable. With key persistence enabled, the ESXi hosts can persist the encryption keys even after a reboot.
Each ESXi host obtains the encryption keys initially and retains them in its key cache. If the ESXi host has a Trusted Platform Module (TPM), the encryption keys are persisted in the TPM across reboots. The host does not need to request encryption keys. Encryption operations can continue when the key server is unavailable, because the keys have persisted in the TPM.
Use the following commands to enable key persistence on a cluster host.
esxcli system settings encryption set --mode=TPM
esxcli system security keypersistence enable
For more information about encryption key persistence, see "Key Persistence Overview" in vSphere Security.
Using vSphere Native Key Provider
vSAN 7.0 Update 2 supports vSphere Native Key Provider. If your environment is set up for vSphere Native Key Provider, you can use it to encrypt virtual machines in your vSAN cluster. For more information, see "Configuring and Managing vSphere Native Key Provider" in vSphere Security.
vSphere Native Key Provider does not require an external Key Management Server (KMS). vCenter Server generates the Key Encryption Key and pushes it to the ESXi hosts. The ESXi hosts then generate Data Encryption Keys.
vSphere Native Key Provider can coexist with an existing key server infrastructure.