vSAN can perform data at rest encryption. Data is encrypted after all other processing, such as deduplication, is performed. Data at rest encryption protects data on storage devices, in case a device is removed from the cluster.

Using encryption on your vSAN cluster requires some preparation. After your environment is set up, you can enable encryption on your vSAN cluster.

vSAN encryption requires an external Key Management Server (KMS), the vCenter Server system, and your ESXi hosts. vCenter Server requests encryption keys from an external KMS. The KMS generates and stores the keys, and vCenter Server obtains the key IDs from the KMS and distributes them to the ESXihosts.

vCenter Server does not store the KMS keys, but keeps a list of key IDs.

Design

Consider these guidelines when working with vSAN encryption.

  • Do not deploy your KMS server on the same vSAN datastore that you plan to encrypt.
  • Encryption is CPU intensive. AES-NI significantly improves encryption performance. Enable AES-NI in your BIOS.
  • The witness host in a stretched cluster does not participate in vSAN encryption. Only metadata is stored on the witness host.
  • Establish a policy regarding core dumps. Core dumps are encrypted because they can contain sensitive information such as keys. If you decrypt a core dump, carefully handle its sensitive information. ESXi core dumps might contain keys for the ESXi host and for the data on it.
    • Always use a password when you collect a vm-support bundle. You can specify the password when you generate the support bundle from the vSphere Client or using the vm-support command.
      The password recrypts core dumps that use internal keys to use keys that are based on the password. You can later use the password to decrypt any encrypted core dumps that might be included in the support bundle. Unencrypted core dumps or logs are not affected.
    • The password that you specify during vm-support bundle creation is not persisted in vSphere components. You are responsible for keeping track of passwords for support bundles.

Enable Encryption on a New vSAN Cluster

Prerequisites

  • Required privileges:
    • Host > Inventory > EditCluster
    • Cryptographer > ManageEncryptionPolicy
    • Cryptographer > ManageKMS
    • Cryptographer > ManageKeys
  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.

Procedure

  1. Navigate to an existing cluster.
  2. Click the Configure tab.
  3. Under vSAN, select Services and click the Encryption Edit button.
  4. On the vSAN Services dialog, enable Encryption, and select a KMS cluster.Note:Make sure the Erase disks before use check box is deselected, unless you want to wipe existing data from the storage devices as they are encrypted.
  5. Complete your cluster configuration.

Results

Encryption of data at rest is enabled on the vSAN cluster. vSAN encrypts all data added to the vSAN datastore.

Enable vSAN Encryption on Existing vSAN Cluster

You can enable encryption by editing the configuration parameters of an existing vSAN cluster.

Prerequisites

  • Required privileges:
    • Host > Inventory > EditCluster
    • Cryptographer > ManageEncryptionPolicy
    • Cryptographer > ManageKMS
    • Cryptographer > ManageKeys
  • You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.
  • The cluster’s disk-claiming mode must be set to manual.

Procedure

  1. Navigate to the vSAN host cluster.
  2. Click the Configure tab.
  3. Under vSAN, select Services.
  4. Click the Encryption Edit button.
  5. On the vSAN Services dialog, enable Encryption, and select a KMS cluster.
  6. (Optional) If the storage devices in your cluster contain sensitive data, select Erase Disks Before Use.This setting directs vSAN to wipe existing data from the storage devices as they are encrypted. This option can increase the time to process each disk, so do not choose it unless you have unwanted data on the disks.
  7. Click Apply.

Results

A rolling reformat of all disk groups takes places as vSAN encrypts all data in the vSAN datastore.