Hello all

I have two hosts DELL Power Edge R6040, which are connected directly via fibre to a HPE MSA 2060.

We are running VMware vCenter Server 6.5 Update 3n currently and want to go to vCenter Server 7.0 Update 2d (7.0.2.00500) to gain the encryption at rest feature for all our VMs. 

This is all run on a Standard license.

Am I correct in my findings below....

1. Upgrade vCenter and host to 7, and upgrade the license to Enterprise Plus, and use the native key provider configuration (NKP) feature in vSphere.

2. Upgrade vCenter and host to 7, and upgrade the license to Enterprise Plus, and get an external (KMS) solution to encrypt the VMs.

3. Implement vSAN. Need another host, or use V witness.

My first choice is (1), as it is less disruptive, but a doubling in licensing.

My second choice (2), is feasible, but again I think I would need a doubling in licensing cost from standard to enterprise and also the cost of a third party KMS.

My third option (3), gives me concern, as I don't know enough about vSAN yet, and seems will be the most disruptive, so here goes my questions....

With vSAN can I keep my VMs on another cluster rather than the newly created vSAN cluster. I understand you cannot have the VMs on the same cluster. Is this correct? 

Will using vSAN really enable to me to use encryption at rest anyway? I think I will still have to give my boss the bad news that we may need Enterprise Plus rather than Standard to even enable VM encryption at rest.

Thank you all