VMware Cloud Community
mithrandir1030
Contributor
Contributor
Jump to solution

vSAN Encryption - Erase data before use

Could anyone explain to me what does "Erase data before use" do in vSAN encryption ?

I found below blog however I still don't understand....

Understanding vSAN Encryption - "Erase disks before use"

What I understand right now is after you enable vSAN encryption:

1. Evacuate all data existing in disk to other disk

2. Encrypt disk

3. Return evacuated data back to disk

4. Do the above process to the next disk

So what is the difference if I choose "Erase data before use" or not ?

Reply
0 Kudos
1 Solution

Accepted Solutions
depping
Leadership
Leadership
Jump to solution

the fact that data is evacuated does not mean that the blocks on the actually devices are wiped. erase before use writes random data to those blocks to ensure that if someone tries to fetch data from the block "random data" is returned.

View solution in original post

Reply
0 Kudos
4 Replies
TheBobkin
Champion
Champion
Jump to solution

Hello mithrandir1030​,

Just so that you are aware - all the steps you mentioned are automated as part of rolling-upgrade enabling encryption.

"Erase data before use" is used if the devices being used have some data on them from previous use (or with new disks if you are paranoid about what manufacturer/bad-actors could potentially have put on there) and wish to overwrite this data with random data before adding these devices to the Disk-Groups as blank devices, more information can be found here:

vSAN Disk Groups | vSAN Data Encryption at Rest | VMware

Bob

Reply
0 Kudos
mithrandir1030
Contributor
Contributor
Jump to solution

Thanks for your reply.

But as I mentioned in the question, after enable vSAN encryption, data on the disk group will be evacuated to another disk group.

What I understand is all data has been removed. So why disk needs to be cleared again by injecting random data?

Reply
0 Kudos
depping
Leadership
Leadership
Jump to solution

the fact that data is evacuated does not mean that the blocks on the actually devices are wiped. erase before use writes random data to those blocks to ensure that if someone tries to fetch data from the block "random data" is returned.

Reply
0 Kudos
mithrandir1030
Contributor
Contributor
Jump to solution

Thank you so much.

Reply
0 Kudos