2 Replies Latest reply on Jan 1, 2020 7:30 AM by TheBobkin

    vSAN encryption - Where to start

    SrVMwarer Enthusiast

      Hi Great community!


      I am studying for vSAN, and now I am on the pre-stage to learn vSAN encryption however it seem to be diffcult to understand it in the beginning so I would highly appreciate if you can guide me from where to start so I can continue learning vSAN encryption, keys ,KEK, DEK KMS so on all of that stuff



      Thanks you very much in advance for your help

        • 1. Re: vSAN encryption - Where to start
          IRIX201110141 Master

          Start reading How vSAN Encryption Works



          1 person found this helpful
          • 2. Re: vSAN encryption - Where to start
            TheBobkin Virtuoso
            VMware EmployeesvExpert

            Hello İlyas,


            *really* brief summary of it is:

            - vSAN encrypts data at the Disk-Group level with data at rest (as opposed to encrypting in flight or between points).

            - ESXi hosts require their Key Encryption Keys to be able to access their Disk-Groups, otherwise these are unavailable - this is the main reason to NEVER store your KMS on the vsanDatastore that it is providing this service to (as this can result in the KMS being unavailable because you can't mount the Disk-Groups because you don't have the KEK because you don't have access to the KMS and so on).

            - Communication of encryption key information goes directly from the hosts to the KMS (as opposed to VMware VM Encryption that requires vCenter to access the keys).

            - Storage performance overhead/penalty from using vSAN Encryption is minimal but CPU overhead should be factored in for sizing with guideline being 5-15% utilisation.

            - More likely to benefit from space savings from vSAN dedupe & compression when using vSAN encryption as opposed to vSphere VM encryption.


            Aswell as what Joerg advised to read, some other good information can be found here:

            vSAN Data Encryption at Rest | VMware



            1 person found this helpful