vSAN can encrypt data at rest in your vSAN datastore.
When you enable data at rest encryption, vSAN encrypts data after all other processing, such as deduplication, is performed. Data at rest encryption protects data on storage devices, in case a device is removed from the cluster.
Using encryption on your vSAN datastore requires some preparation. After your environment is set up, you can enable data-at-rest encryption on your vSAN cluster.
Data-at-rest encryption requires an external Key Management Server (KMS) or a vSphere Native Key Provider. For more information about vSphere encryption, see vSphere Security.
You can use an external Key Management Server (KMS), the vCenter Server system, and your ESXi hosts to encrypt data in your vSAN cluster. vCenter Server requests encryption keys from an external KMS. The KMS generates and stores the keys, and vCenter Server obtains the key IDs from the KMS and distributes them to the ESXi hosts.
vCenter Server does not store the KMS keys, but keeps a list of key IDs.