Data security is at the top of the agenda for nearly every organization. Encryption plays a crucial role here: it ensures that data is only accessible to systems and users with the correct keys. VMware vSAN provides integrated encryption services that can easily be enabled at the cluster level.
Two Forms of Encryption
vSAN offers two types of encryption that can be used independently or together:
-
Data-at-Rest Encryption: encrypts all data as it lands on physical storage devices.
-
Data-in-Transit Encryption: secures all vSAN traffic transmitted between hosts in the cluster.
Both methods use the built-in VMkernel cryptographic module in vSphere, which has achieved FIPS 140-2 and 140-3 validation. This ensures compliance with the strictest security standards.
ESA versus OSA
The implementation of encryption differs significantly between the Original Storage Architecture (OSA) and the Express Storage Architecture (ESA).
-
In the OSA, data-at-rest encryption is applied as the final step in the I/O path. This preserves the ability to leverage deduplication and compression, but it comes with higher resource overhead.
-
In the ESA, encryption occurs higher in the stack, immediately after compression. This means that data only needs to be encrypted once, which reduces CPU and network usage and improves efficiency across the cluster.
Key Management: KMS or Native Key Provider
There are two main options for managing encryption keys:
-
External Key Management Server (KMS) – based on the KMIP protocol and often deployed in a highly available cluster configuration.
-
vSphere Native Key Provider (NKP) – a built-in key management solution that operates entirely within vSphere, and can leverage TPM chips on hosts for additional resilience and secure key persistence.
VMware strongly recommends using TPM chips on all vSAN hosts to ensure keys remain securely stored and available even if the key provider is temporarily unreachable.
Conclusion
vSAN Encryption Services provide organizations with powerful tools to protect sensitive data. With the ability to secure data both at rest and in transit, and flexible options for key management, vSAN ensures compliance, resilience, and peace of mind. Especially with the ESA architecture, organizations benefit from stronger security with lower performance overhead.
Want to learn more?
For a deep dive into all the available techniques, trade-offs, and configuration details, get a copy of the full whitepaper.
