vSAN Data Encryption at Rest was introduced in vSAN v6.6 and requires vSAN Enterprise licensing. Well, just to understand vSAN encryption in a better way, lets touch some basics here.
What is Data at Rest Encryption:
The terms “Data at Rest Encryption” when used together, typically refer to data that is encrypted and stored, either in a transient or longer time frame, on some type of persistent media.
The purpose of data at rest encryption is essentially disallow access to the stored data without the appropriate key to unlock the data. In the event of media loss or theft, the data is secure without the presence of the unlocking key. Because of this, data at rest encryption is often employed in environments that require additional levels of security.
In a virtualized infrastructure environment, data at rest encryption can occur either inside a virtual machine or can be accommodated by the storage system.
vSAN Data at Rest Encryption:
Well, I assume you have a good idea about vSAN to start with. Just in case you don’t or to give a bit of primer, there are two basic configurations when it comes to vSAN which basically revolves around types of disks being used:
1) All Flash: Where all disks used in a solution are flash disks which means flash disks are used both for cache and capacity disks.
2) Hybrid: Solution where flash disks are used for cache and magnetic disks for capacity.
vSAN Encryption encrypts data at rest both in cache and capacity devices. In case of loss or theft of any of the disks, data on the disk is securely encrypted and hence safe.
vSAN encryption works on datastore level which means encryption may be enabled or disabled on whole vSAN cluster
In case you are utilizing vSAN streched cluster, vSAN encryption supports it.
Deduplication and Compression with Encryption enabled:
Deduplication and Compression unaﬀected by enabling vSAN Encryption which is unlike when using VM Encryption. VM Encryption encrypts on a per-VM basis. Each VM has a unique key. The encryption happens as the I/O comes from the VM to the hypervisor and before it’s written to the storage layer. VM Encryption is storage independent. It will work with any supported storage type (NFS, iSCSI, Fiber Channel, etc) including vSAN. However, because the encryption happens so early in the process, dedupe and compression are not a good fit for VM Encryption because the I/O is encrypted before it reaches the storage later in ESXi.
vSAN Encryption encrypts at the datastore level. There is one key encryption key (KEK) for the datastore. Data comes out of the VM, goes through the vSAN layer where it’s deduped and compressed (if enabled) and is written to the encrypted vSAN datastore. Hence, Encryption occurs after deduplication and compression tasks
Encryption Key Management:
Key management can be accomplished using a cryptographic appliance called a Key Management Server (KMS). KMS solutions provide standards-compliant lifecycle management of encryption keys. Tasks such as key creation, activation, deactivation, and deletion of encryption keys are performed by Key Management Servers. The Key Management Interoperability Protocol (KMIP) can be used to communicate with a KMS by clients to use keys managed by the KMS.
VCenter Server provides a central location for Key Management Server conﬁguration that is available to be used by either vSAN Encryption or VM Encryption.
Note that vSAN and VM encryption use the exact same libraries but they have very different profiles. VM Encryption is a per-VM encryption and vSAN is a datastore level encryption. Encryption is happening at different places in the hypervisor stack.