Could anyone explain to me what does "Erase data before use" do in vSAN encryption ?
I found below blog however I still don't understand....
Understanding vSAN Encryption - "Erase disks before use"
What I understand right now is after you enable vSAN encryption:
1. Evacuate all data existing in disk to other disk
2. Encrypt disk
3. Return evacuated data back to disk
4. Do the above process to the next disk
So what is the difference if I choose "Erase data before use" or not ?
the fact that data is evacuated does not mean that the blocks on the actually devices are wiped. erase before use writes random data to those blocks to ensure that if someone tries to fetch data from the block "random data" is returned.
Hello mithrandir1030,
Just so that you are aware - all the steps you mentioned are automated as part of rolling-upgrade enabling encryption.
"Erase data before use" is used if the devices being used have some data on them from previous use (or with new disks if you are paranoid about what manufacturer/bad-actors could potentially have put on there) and wish to overwrite this data with random data before adding these devices to the Disk-Groups as blank devices, more information can be found here:
vSAN Disk Groups | vSAN Data Encryption at Rest | VMware
Bob
Thanks for your reply.
But as I mentioned in the question, after enable vSAN encryption, data on the disk group will be evacuated to another disk group.
What I understand is all data has been removed. So why disk needs to be cleared again by injecting random data?
the fact that data is evacuated does not mean that the blocks on the actually devices are wiped. erase before use writes random data to those blocks to ensure that if someone tries to fetch data from the block "random data" is returned.
Thank you so much.