You can enable data-at-rest encryption when you configure a new vSAN cluster.


Note: Data-at-rest encryption can only be enabled at cluster creation on a vSAN Express Storage Architecture cluster.
  • Required privileges:
    • Host.Inventory.EditCluster
    • Cryptographer.ManageEncryptionPolicy
    • Cryptographer.ManageKMS
    • Cryptographer.ManageKeys
  • You must have configured a standard key provider and established a trusted connection between vCenter Server and the KMS.


  1. Navigate to an existing cluster.
  2. Click the Configure tab.
  3. Under vSAN, select Services and click the Encryption Edit button.
  4. On the vSAN Services dialog, enable Encryption, and select a KMS cluster or key provider.
    Note: Use the Wipe residual data check box to erase residual data from devices before you enable vSAN encryption. Make sure that you deselect this check box, unless you want to wipe existing data from the storage devices when encrypting a cluster that contains VM data. That way it ensures that the unencrypted data no longer resides on the devices after enabling vSAN encryption. This setting is not necessary for new installations that do not have any VM data on the storage devices.
  5. Complete your cluster configuration.


Encryption of data at rest is enabled on the vSAN cluster. vSAN encrypts all data added to the vSAN datastore.