I started the progress of encrypting my vSAN.
It would seem the process may have failed.
The GUI would indicate that the vSAN is now encrypted but I have a hard time accepting that.
Is there a way to confirm that the vSAN is indeed encrypted via a script or otherwise?
Welcome to vSAN Community.
When you say 'failed' do you mean you have a failed task info with some information as to the cause or the task timed out?
The state of vSAN encryption on the Disk-Groups (as it is configured by Disk-Group on enable/disable) can be checked on each node via:
# esxcli vsan storage list
The 2 relevant fields which indicate the encryption state of the disks are:
If it got part of the way through encrypting the disks in the cluster then you will have a mix of true and false for the above.
If for whatever reason the encryption task failed/timed out then it should be resumable and will just move onto the next unencrypted Disk-Group - this being said, you should probably be looking into why it failed e.g. maybe connection to KMS is unstable and/or there is some other issue that you should get resolved sooner rather than later.
what is your indicator for saying it has failed?
After I flipped the switch to enable encryption it started happily to process the request.
A couple of hours in we had a network outage that caused some communications issues between the hosts and the vCenter and possibly between the hosts.
Once the issues had been resolved I went to check on the running task and and it displayed as failed..
Digging deeper into i i was going to run it again but the encryption switch was still in the ON position and the GUI displayed that the vSAN was encrypted.
I have now lost the error and looking at the vSAN health it looks fine and everything is normal. I still have the nagging feeling that it may not be encrypted as it had the issues.
Perhaps it resolved itself and encrypted everything just fine, but how could I be sure of that besides the GUI?
You can check this exactly with the commands I said above...
I have had the same concerns as you in verifying the encryption process.
What you can do is check the tasks on the ESXi host.
First, identify all the tasks:
In the list, at the top, you should see vim.Task:haTask--vim.host.VsanSystem.removeDiskMapping-########## or vim.Task:haTask-vim.host.Vsan.System.addDisks-######### depending on the encryption process step.
Based on my basic understanding of the disk encryption process, the system will remove the disk group (removeDiskMapping), grab the DEK from the KMS, and then add the encrypted disk group (addDisks). So, you should be able to follow the process based on that.
To find out the state of the encryption process, you can run the following:
vim-cmd vimsvc/task_info haTask--vim.host.VsanSystem.addDisks-##########
If adding the encrypted disk group is still in progress, you will have a state of "running" and also a completeTime of <unset>. If the task has completed, you will a state of "success" and an actual date and time of when task was completed.
What I like to do after this is verify that the disks are indeed encrypted.
vdq -iH | grep naa | wc -l
esxcli vsan storage list | grep "Encrypted: true" | wc -l
The vdq command will list the total number of drives configured for the datastore and the esxcli command will list the total number of drives that have an encrypted status. These numbers should be the same.