VM Encryption when moving from vSAN to non-vSAN Datastores (and back)
Good afternoon all,
I currently have an Encrypted vSAN cluster of hosts using CloudLink KMS. VMs do not need a storage policy that involves VM Encryption as they are encrypted at the vSAN Datastore level.
I want to be able to vMotion and/or replicate VMs from this Encrypted vSAN environment to a traditional iSCSI SAN environment on another vCenter & Cluster with a standard datastore. It is important that when the VM data is written to the traditional SAN datastore that it is still encrypted.
As I understand it I have two options..
Used SED (Self Encrypting Drives) in the SAN so that the encryption is transparent to VMware.
Apply a storage policy which involves VM Encryption at the time of vMotion/replication.
Option 1 is simple but SEDs are more expensive and don't have the capacity compatibility in the SAN we want to use.
Option 2 seems ideal but we need to be able to apply the policy whilst the VM is powered on at the point of vMotion. Is it as simple as setting up VM Encryption on the Default Storage Policy of the SAN datastore at the 2nd site, and then VMware handles the rest as it migrates the VM live?
I basically want to move VMs around (whilst powered on) and ensure they are always encrypted at rest whether they are on Encrypted vSAN or traditional datastore with VM Encryption on the storage policy. I've been reading up on VMware's documentation and some suggests that storage encryption policies cannot be changed whilst the VM is powered on - however I know you get the change to change the storage policy at the point of vMotion normally.
Currently using ESXi 7, but can upgrade to update 2 to get the inbuilt key management feature for the non-vSAN encryption.