New on vSAN 6.6, vSAN native encryption for data at rest is now available. This feature does not require self-encrypting drives (SEDs). Encryption is supported on both all-flash and hybrid configurations of vSAN, and it is done at the datastore level.

It is important to note that data is encrypted during the de-staging process, which means that all other vSAN features are fully supported, such as deduplication and compression, among others.

Given the multitude of KMS vendors, the setup and configuration of KMS is not part of this document, and it is a pre-requisite prior to enabling encryption on vSAN datastore.

Requirements for vSAN Encryption:

• Deploy KMS cluster/server of your choice
• Add/trust KMS server to vCenter UI
• vSAN encryption requires on-disk format (ODF) version 5
  • You can upgrade this via Web Client
  • or if you enable Encryption or Deduplication and Compression on an existing vSAN cluster, the ODF gets upgraded to the latest version automatically.
• When vSAN encryption is enabled all disks are reformatted
  • This is achieved in a rolling manner

 

Initial configuration is done in the VMware vCenter Server user interface of the vSphere Web Client. The KMS cluster is added to vCenter Server and a trust relationship is established. The process for doing this is vendor-specific. Consult your KMS vendor documentation prior to adding the KMS cluster to vCenter.

To add the KMS cluster to vCenter in the vSphere Web Client, click on the vCenter server, click on “Configure” tab, “Key Management Servers”, and click “add KMS”. Enter the information for your specific KMS cluster/server.

 

Once the KMS cluster/server has been added, you will need to establish trust with the KMS server. Follow the instructions from your KMS vendor as they differ from vendor to vendor.

 

After the KMS has been configured, you will see that the connections status and the certificate have green checks, meaning we are ready to move forward.

 

Now, we need to verify that all of the disks in the cluster are on version 5 for on-disk format prior to enabling vSAN encryption, since version 5 is a requirement.

 

 

At this point we are ready to turn encryption on, since we have completed the first three steps.

• Deploy KMS cluster/server of your choice
• Add/trust KMS server to vCenter UI
• vSAN encryption requires on-disk format version 5
• When vSAN encryption is enabled all disks are reformatted

 

To enable vSAN encryption, click on the vSAN cluster, “Configure” tab, and “General” under the vSAN section, and click “edit”. Here we have the option to erase the disk before use. This will increase the time it will take to do the rolling format of the devices, but it will provide better protection.

 

After you click ok, vSAN will remove one Disk Group at a time, format each device, and recreate the Disk Group once the format completed. It will then move on to the next Disk Group until all Disk Groups are recreated, and all devices formatted. During this period, data will be evacuated from the Disk Groups, so you will see components resyncing.

 

Note: This process can take quite some time depending on the amount of data that needs to be migrated during the rolling reformat, so please plan accordingly.

 

Once vSAN encryption is enabled, you are able to disable encryption; however, the same procedure is needed as far as reformatting all the drives in a rolling manner.

 

New Key Generation

You also have the capability of generating new keys for encryption. There are 2 modes for rekeying. One of them is a high level rekey where the data encryption key is wrapped by a new key encryption key. The other level is a complete re-encryption of all data. This second rekey (deep rekey) may take significant time to complete as all the data will have to be re-written, and may decrease performance.

 

 

Summary of expected behaviors:

• Enabling vSAN Encryption requires disk reformat with object resyncs.
• You don’t have to erase all the disks first prior to using native encryption unless you want to reduce the possibility of data leakage and have a decreased attack vector. However, this will result in additional time required to erase disks, reformat drives, and enable encryption.
• Enabling vSAN Deduplication and Compression still requires disk reformat with object resyncs whether the Disk Group is encrypted or not.
• Disabling any of the aforementioned features requires another reformat of the devices along with object resyncs.