VMware Cloud Community
DNA99
Contributor
Contributor

vSAN Encryption to an Existing Datastore, does it impact?

If we enable Encryption to an existing vSAN datastore with reasonable amount of data, will that be a disruptive change to a VM? Does it impact the workloads in any way?

Let me know, Thanks!

1 Reply
TheBobkin
Champion
Champion

Hello DNA99

Welcome to Communities.

This is a Storage-intensive operation and thus may need to be throttled via resync options to not cause IO contention to VMs in a Production cluster.

Enabling vSAN Encryption has to do a rolling reformat of all Disk-Groups - this automated process entails:

1. Migrates all data off the Disk-Groups.

2. Deletes the Disk-Groups.

3. <optional whether selected> Writes random data to all blocks of the devices:

Understanding vSAN Encryption - "Erase disks before use"

4. Recreates the Disk-Groups with Encryption mechanisms enabled.

Preferably before doing this, you would be running on a ESXi 6.7 U3 or later build that automates a lot of the IO-fairness scheduling as opposed to have to throttling the resync (and also has vast improvements to resync performance via better queue-utilisation).

Bob