*really* brief summary of it is:
- vSAN encrypts data at the Disk-Group level with data at rest (as opposed to encrypting in flight or between points).
- ESXi hosts require their Key Encryption Keys to be able to access their Disk-Groups, otherwise these are unavailable - this is the main reason to NEVER store your KMS on the vsanDatastore that it is providing this service to (as this can result in the KMS being unavailable because you can't mount the Disk-Groups because you don't have the KEK because you don't have access to the KMS and so on).
- Communication of encryption key information goes directly from the hosts to the KMS (as opposed to VMware VM Encryption that requires vCenter to access the keys).
- Storage performance overhead/penalty from using vSAN Encryption is minimal but CPU overhead should be factored in for sizing with guideline being 5-15% utilisation.
- More likely to benefit from space savings from vSAN dedupe & compression when using vSAN encryption as opposed to vSphere VM encryption.
Aswell as what Joerg advised to read, some other good information can be found here: