VMware by Broadcom has released a new technical document that provides a clear and practical overview of vSAN Encryption Services in VMware Cloud Foundation environments. The paper explains how both Data-at-Rest and Data-in-Transit encryption work within vSAN, and how these mechanisms help secure modern private cloud infrastructures.
The document goes into the architectural differences between the vSAN Original Storage Architecture (OSA) and the vSAN Express Storage Architecture (ESA). It explains where encryption takes place in the I/O path, how DEKs and KEKs are managed, and how the placement of encryption operations impacts performance and efficiency. It also details the integration with external Key Management Servers and the use of the vSphere Native Key Provider, as well as the important role of TPM-backed key persistence on ESXi hosts.
In addition, the paper covers operational topics such as enabling or disabling encryption, rekeying operations, secure device wiping, and the behaviour of hosts during boot-up in encrypted clusters. There is also guidance for situations where vCenter Server must be rebuilt, and how to maintain access to encrypted storage during recovery scenarios.
This document is highly relevant for architects, engineers, and anyone working with VMware Cloud Foundation who needs a deeper understanding of vSAN security mechanisms. It offers both conceptual explanations and practical considerations that can be applied directly in production environments.
You can find the official PDF from VMware by Broadcom here.
