vSAN encryption basics

vSAN Data Encryption at Rest was introduced in vSAN v6.6 and requires vSAN Enterprise licensing. Well, just to understand vSAN encryption in a better way, lets touch some basics here.

What is Data at Rest Encryption:

The terms “Data at Rest Encryption” when used together, typically refer to data that is encrypted and stored, either in a transient or longer time frame, on some type of persistent media.

The purpose of data at rest encryption is essentially disallow access to the stored data without the appropriate key to unlock the data. In the event of media loss or theft, the data is secure without the presence of the unlocking key. Because of this, data at rest encryption is often employed in environments that require additional levels of security.

In a virtualized infrastructure environment, data at rest encryption can occur either inside a virtual machine or can be accommodated by the storage system.

vSAN Data at Rest Encryption:

Well, I assume you have a good idea about vSAN to start with. Just in case you don’t or to give a bit of primer, there are two basic configurations when it comes to vSAN which basically revolves around types of disks being used:

1) All Flash: Where all disks used in a solution are flash disks which means flash disks are used both for cache and capacity disks.
2) Hybrid: Solution where flash disks are used for cache and magnetic disks for capacity.

vSAN Encryption encrypts data at rest both in cache and capacity devices. In case of loss or theft of any of the disks, data on the disk is securely encrypted and hence safe.

vSAN encryption works on datastore level which means encryption may be enabled or disabled on whole vSAN cluster

In case you are utilizing vSAN streched cluster, vSAN encryption supports it.

Deduplication and Compression with Encryption enabled:

Deduplication and Compression unaffected by enabling vSAN Encryption which is unlike when using VM Encryption. VM Encryption encrypts on a per-VM basis. Each VM has a unique key. The encryption happens as the I/O comes from the VM to the hypervisor and before it’s written to the storage layer. VM Encryption is storage independent. It will work with any supported storage type (NFS, iSCSI, Fiber Channel, etc) including vSAN. However, because the encryption happens so early in the process, dedupe and compression are not a good fit for VM Encryption because the I/O is encrypted before it reaches the storage later in ESXi.

vSAN Encryption encrypts at the datastore level. There is one key encryption key (KEK) for the datastore. Data comes out of the VM, goes through the vSAN layer where it’s deduped and compressed (if enabled) and is written to the encrypted vSAN datastore. Hence, Encryption occurs after deduplication and compression tasks

Encryption Key Management:

Key management can be accomplished using a cryptographic appliance called a Key Management Server (KMS). KMS solutions provide standards-compliant lifecycle management of encryption keys. Tasks such as key creation, activation, deactivation, and deletion of encryption keys are performed by Key Management Servers. The Key Management Interoperability Protocol (KMIP) can be used to communicate with a KMS by clients to use keys managed by the KMS.

VCenter Server provides a central location for Key Management Server configuration that is available to be used by either vSAN Encryption or VM Encryption.

Note that vSAN and VM encryption use the exact same libraries but they have very different profiles. VM Encryption is a per-VM encryption and vSAN is a datastore level encryption. Encryption is happening at different places in the hypervisor stack.

Leave a Reply

10 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
10 Comment authors
Mari Kitchens Recent comment authors
newest oldest most voted
Notify of

Right here is the perfect web site for everyone who wishes to understand this topic.
You know so much its almost hard to argue with you
(not that I personally would want to…HaHa).
You definitely put a fresh spin on a topic which has been written about for decades.
Wonderful stuff, just great!


This is a really good tip particularly to those new to the
blogosphere. Brief but very precise information… Many thanks for
sharing this one. A must read post!

Mariam Matlock

You need to be a part of a contest for one of the best blogs on the net.
I most certainly will recommend this site!

Williem Aeweld

Thanks for another informative blog. The place else may
just I am getting that kind of info written in such an ideal means?
I’ve a challenge that I am simply now working on, and I have been at the look out for such info.

Dorothy Traver

What’s Taking place i am new to this, I stumbled upon this I have discovered It absolutely useful and it
has helped me out loads. I hope to contribute & aid different users like its aided me.
Great job.


Greate article. Keep writing such kind of info on your site.

Im really impressed by your blog.
Hi there, You’ve done an excellent job. I’ll certainly digg it and in my view recommend
to my friends. I’m sure they will be benefited from this
web site.


Hi there to every body, it’s my first pay a visit of this web site;
this web site includes amazing and genuinely excellent stuff designed for

Mari Kitchens

Wonderful post but I was wondering if you could write
a litte more on this subject? I’d be very grateful if you could elaborate a little bit further.


It’s really a great and helpful piece of information. I am glad
that you simply shared this useful information with us.
Please keep us up to date like this. Thanks
for sharing.


I have read so many posts regarding the blogger lovers except this paragraph is actually a fastidious article, keep it up.