Product : VMware, vSAN [SDS]/7.0 U1, Enterprise
Feature : Data Encryption Options, Security, Data Services
Content Owner:  Herman Rutten
Summary
Hardware: N/A
Software: vSAN data encryption; HyTrust DataControl (validated)
Details
Hardware: vSAN does no longer support self-encrypting drives (SEDs).

Software: vSAN supports native data-at-rest encryption of the vSAN datastore. When encryption is enabled, vSAN performs a rolling reformat of every disk group in the cluster. vSAN encryption requires a trusted connection between vCenter Server and a key management server (KMS). The KMS must support the Key Management Interoperability Protocol (KMIP) 1.1 standard. In contrast, vSAN native data-in-transit encryption does not require a KMS server. vSAN native data-at-rest and data-in-transit encryption are only available in the Enterprise edition.

vSAN encryption has been validated for the Federal Information Processing Standard (FIPS) 140-2 Level 1.

VMware has also validated the interoperability of HyTrust DataControl software encryption with its vSAN platform.