Configure vSAN Data-At-Rest and Data-In-Transit Encryption from the vSphere Client
You activate vSAN Data-At-Rest encryption and Data-In-Transit encryption on the vSAN cluster. You can choose Native Key Provider to enable vSAN Encryption or you must set up an external Key Management Server (KMS) and establish a trusted connection between vCenter Server and the KMS.
- Do not deploy external KMS server on the same vSAN datastore that you plan to encrypt.
- You cannot encrypt a witness host. The witness host in a stretched cluster does not participate in vSAN encryption. Only metadata is stored on the witness host.
For more information, see vSAN Data-At-Rest Encryption and vSAN Data-In-Transit Enctyption in the vSAN product documentation.
- In a Web browser, log in to your vCenter Server by using the vSphere Client.SettingValueURLhttps://management-domain-vcenter-server-fqdn/uiUser nameadministrator@vsphere.local
- VMW-vSAN-00183Activate data at rest encryption on the vSAN cluster.
- In theHosts and Clustersinventory, select the vSphere cluster that uses vSAN as storage.
- Click theConfiguretab and undervSAN, clickServices.
- Click the Data ServicesEditbutton.
- In thevSAN Servicesdialog box, activate the toggle switch ofData-At-Rest encryption, select a Native Key Provider or external KMS cluster, and clickApply.
- Repeat the procedure by selecting the vSphere cluster for the VI workload domain.
- VMW-vSAN-00184Activate data in transit encryption on the vSAN cluster.
- In theHosts and Clustersinventory, select the vSphere cluster that uses vSAN as storage.
- Click theConfiguretab and undervSAN, clickServices.
- Click the Data ServicesEditbutton.
- In thevSAN Servicesdialog box, activate the toggle switch ofData-In-Transit encryption, configure rekey interval and clickApply.
- Repeat the procedure by selecting the vSphere cluster for the VI workload domain.