Configuring vSAN Encryption with HyTrust server (Part-3)

In the previous blog post we discussed about the KMS server registration process with vCenter

In part-3 we are going to proceed with process of enabling encryption on vSAN cluster.

Enable Encryption on vSAN cluster:

Required privileges:

  • Host → Inventory → EditCluster
  • Cryptographer → ManageEncryptionPolicy
  • Cryptographer → ManageKMS
  • Cryptographer → ManageKeys


You must have set up a KMS cluster and established a trusted connection between vCenter Server and the KMS.

The cluster’s disk-claiming mode must be set to manual.

You cannot enable encryption without KMS server. As we have added the KMS server we can navigate to vSAN Cluster ⇒ Configure ⇒ General and click on edit to modify cluster settings

Click on encryption and select KMS server. As in my case I have added the KMS server, it automatically detect HyTrust. Click on OK to proceed

This operation will start rolling reformat (evacuate, format, restore) of all the disk groups and run for long time. Make sure you have enough space in vsan datastore and disks threshold level is not reached otherwise this operation will fail saying “Not enough resources”

Clearly, resync will start and parallelly run with the operation. Here we can see that convert disk format operation has been executed with rolling reformat & upgrade. This process is time consuming process based on the hosts & storage available in the cluster

you can see the current status of the task in general tab ⇒ disk format version

Once the disk groups upgrade will complete we have health test run in vSAN Health. Rerun the vSAN health checks post encryption completion and see if all the health tests are passed. In my scenario all looks green

All the hosts are communicating with KMS server and executing the KEK retrieval process

This ends “Deploying and configuring HyTrust server in vSAN” series. If you again want to go through the series below are the direct links:

Understanding vSAN Encryption with troubleshooting tips

If you like this blog post, please feel free to share with your friends on social media.

Thanks for reading!!

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.