1 Reply Latest reply on Jan 30, 2020 3:32 PM by TheBobkin

    vSAN Encryption to an Existing Datastore, does it impact?

    DNA99 Lurker

      If we enable Encryption to an existing vSAN datastore with reasonable amount of data, will that be a disruptive change to a VM? Does it impact the workloads in any way?

      Let me know, Thanks!

        • 1. Re: vSAN Encryption to an Existing Datastore, does it impact?
          TheBobkin Virtuoso
          vExpertVMware Employees

          Hello DNA99


          Welcome to Communities.


          This is a Storage-intensive operation and thus may need to be throttled via resync options to not cause IO contention to VMs in a Production cluster.

          Enabling vSAN Encryption has to do a rolling reformat of all Disk-Groups - this automated process entails:

          1. Migrates all data off the Disk-Groups.

          2. Deletes the Disk-Groups.

          3. <optional whether selected> Writes random data to all blocks of the devices:

          Understanding vSAN Encryption - "Erase disks before use"

          4. Recreates the Disk-Groups with Encryption mechanisms enabled.


          Preferably before doing this, you would be running on a ESXi 6.7 U3 or later build that automates a lot of the IO-fairness scheduling as opposed to have to throttling the resync (and also has vast improvements to resync performance via better queue-utilisation).