How to disable encryption on vSAN cluster
search cancel

How to disable encryption on vSAN cluster

book

Article ID: 400462

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

Symptoms:

  • How to disable Data-at-Rest (D@R) and Data-in-Transit (DiT) encryption.

Environment

VMware vSAN 7.x

VMware vSAN 8.x

Resolution

To disable encryption in vSAN, navigate to the vSAN cluster configuration in vSphere Web Client, then disable "Data-at-rest encryption" and "Data-in-transit encryption" within the vSAN services configuration. This will expose previously encrypted data in the clear. 
 
Detailed Steps:
  1. Locate the vSAN Cluster: In vSphere Web Client, navigate to the inventory and select the vSAN cluster you wish to modify.
  2. Configure vSAN Services: Click on the "Configure" tab, then select "vSAN" > "Services" > "Data Services".
  3. Edit vSAN Encryption: Click "Edit" to access the vSAN encryption settings.
  4. Disable Encryption: Uncheck the boxes next to "Data-At-Rest encryption" and "Data-in-Transit encryption".
  5. Apply Changes: Click "Apply" to save the changes and disable vSAN encryption. 

The document below provides insights related to disabling vSAN encryption in vSAN version 8.0.

         Cannot change encryption settings on vSAN ESA
         Encryption can only be configured vSAN ESA during cluster creation. You cannot change the settings later.
         VMware vSAN 8.0 Release Notes 

  •  Data-at-rest encryption disable for vSAN ESA 8.0.3. You can disable data-at-rest encryption on vSAN ESA clusters at any point after enabling it. vSAN ESA now supports the following operations for data-at-rest encryption: enable encryption, disable encryption, shallow rekey, and deep rekey.
    VMware vSAN 8.0 Update 3 Release Notes

Prerequisites Before Disabling vSAN Encryption :

  • Ensure you have a recent backup of all critical workloads running on the vSAN datastore.
  • Run vSAN Health Check to confirm the cluster is stable.
  • Ensure no ongoing resync operations or degraded disk groups.
  • Ensure the KMS is accessible and operational as it is needed to decrypt the data during the process.
  • Disabling encryption triggers disk format conversion, which requires extra capacity.
  • Ensure there is enough free space in the vSAN cluster for safe operations.
  • While disabling encryption the disk usage can be high due to which it is recommended to perform this task during off production hours.

Potential Impact of Disabling vSAN Encryption :

  • All disk groups will be reformatted. This is disruptive and takes time.
  • Due to reformatting and data movement, you may observe temporary performance degradation.
  • Data at rest will no longer be encrypted ,risk in case of disk theft or RMA.
  • May violate regulatory compliance (e.g., HIPAA, GDPR, PCI DSS) if encryption is mandated.
  • Improperly disabling encryption without proper key handling can lead to data loss.
  • VMs may need to be evacuated and migrated during disk group removal.
Powered by Wolken Software