You can enable data-at-rest encryption on existing vSAN OSA and vSAN ESA clusters.

Prerequisites

  • Required privileges:
    • Host.Inventory.EditCluster
    • Cryptographer.ManageEncryptionPolicy
    • Cryptographer.ManageKMS
    • Cryptographer.ManageKeys
  • You must have configured a standard key provider and established a trusted connection between vCenter Server and the KMS.
  • The cluster's disk-claiming mode must be set to manual.

Procedure

  1. Navigate to the vSAN host cluster.
  2. Click the Configure tab.
  3. Under vSAN, select Services.
  4. Click the Encryption Edit button.
  5. On the vSAN Services dialog, enable Encryption, and select a KMS cluster or key provider.
  6. (Optional) If the storage devices in your cluster contain sensitive data, select Wipe residual data.
    This setting directs vSAN to erase existing data from the storage devices as they are encrypted. This option can increase the time to process each disk, so do not choose it unless you have unwanted data on the disks.
  7. Click Apply.

Results

A rolling reformat of all disk groups takes places as vSAN encrypts all data in the vSAN datastore.

What to do next

You can deactivate encryption on the cluster at any time. A disk reformat is required, as vSAN decrypts all data in the datastore.