Understanding vSAN Datastore Encryption vs. VMcrypt Encryption
search cancel

Understanding vSAN Datastore Encryption vs. VMcrypt Encryption

book

Article ID: 319929

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

When using VMware vSAN, there are two choices for data encryption of Virtual Machine (VM) data. VM data can be encrypted using vSAN whole-datastore encryption or VMware's VMcrypt solution. There are important differences between these two methods, and this article will compare both encryption solutions.

Environment

  • VMware vSAN 6.x
  • VMware vSAN 7.x
  • VMware vSAN 8.x

Resolution

vSAN datastore encryption and VMcrypt VM encryption vary in several key areas. See the following table for a feature comparison.
 
Feature/Function vSAN Encryption VMcrypt Encryption

Supports both external key-management server (KMS) and 

Native key Encryption

Per-VM Encryption X
Whole-datastore encryption X
Data-at-rest encryption
End-to-end encryption X
VMs encrypted by Placement on datastore Storage Policy
Encryption occurs* After deduplication Before deduplication

* While VMcrypt and vSAN are mutually compatible, VMcrypt writes an encrypted data stream whereas vSAN encryption receives an unencrypted data stream and encrypts it during the write process. As the encrypted data written by VMcrypt (or any other end-to-end encryption scheme) appears to be random, it does not deduplicate well. If using VMcrypt with vSAN deduplication, expect deduplication efficiency to approach zero for encrypted VMs. If both encryption and high deduplication efficiency are required, use vSAN whole-datastore encryption.

Note: Dual encryption will significantly increase CPU overhead as now data is encrypted (and decrypted) twice. Please ensure dual encryption is not turned on unless it was intended.