Data At Rest Encryption and VSAN

KuotaiDavidSu · ‎05-24-2018

Hi,

We run our VMs in an encrypted SAN storage array. We are thinking of using VMware vSAN in our DR site and VMware Replication as our disaster recovery solution. In non-encryption situation, only changed data blocks will be replicated. But, in an encrypted storage array, my understanding is, data will be decrypted first before send across the Internet. The thing I don't know is how VMware replication replicate Encrypted Data from a Storage Array to Vmware vSAN. For example, if we have 10TB VMs in the encrypted storage array, but only 100GB change data every day. After this encrypt and decrypt process, how much data will be sent? 10TB or 300GB?

Thanks

TheBobkin · ‎05-24-2018

Hello KuotaiDavidSu,

More of a vSphere Replication question than vSAN question so potentially you would want to move this query to that sub-forum (or ask a Mod to do this).

vSphere Replication tracks the changed blocks in memory, and/or commits these to disk via PSF, so I don't think having encryption enabled on the SAN or not is going to make any difference here - if what these data referenced on an encrypted SAN somehow varied to what the VM was accessing then VMs wouldn't be able to write to their disks. Thus only the changes will be replicated not the entire contents of the SAN.

I would advise reading up on the necessary portions of the technical documentation regarding vSphere Replication (short document but answers a ton of questions about how this works):

https://storagehub.vmware.com/export_to_pdf/vsphere-replication-faq

https://storagehub.vmware.com/.../vsphere-r-replication-tm-6-5-technical-overview-1

Bob

KuotaiDavidSu · ‎05-24-2018

Thank you for your help and the articles.

All

Data At Rest Encryption and VSAN