How to enable/disable encryption on vSAN cluster
search cancel

How to enable/disable encryption on vSAN cluster

book

Article ID: 400462

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

Symptoms:

  • How to disable Data-at-Rest (DAR) and Data-in-Transit (DiT) encryption.

Environment

VMware vSAN (All Versions)

Resolution

To disable encryption in vSAN, navigate to the vSAN cluster configuration in vSphere Web Client, then disable "Data-at-rest encryption" and/or "Data-in-transit encryption" within the vSAN services configuration. This will expose previously encrypted data in the clear. 
 
Detailed Steps:
  1. Locate the vSAN Cluster: In vSphere Web Client, navigate to the inventory and select the vSAN cluster you wish to modify.
  2. Configure vSAN Services: Click on the "Configure" tab, then select "vSAN" > "Services" > "Data Services".
  3. Edit vSAN Encryption: Click "Edit" to access the vSAN encryption settings.
  4. Disable Encryption: Uncheck the boxes next to "Data-At-Rest encryption" and/or "Data-in-Transit encryption".
  5. Enable Encryption: Check the boxes next to "Data-At-Rest encryption" and/or "Data-in-Transit encryption".
  6. Apply Changes: Click "Apply" to save the changes and disable vSAN encryption. 

The document below provides insights related to disabling vSAN encryption in vSAN version 8.0.

  •  Cannot change encryption settings on vSAN ESA
     Encryption can only be configured vSAN ESA during cluster creation. You cannot change the settings later.
     VMware vSAN 8.0 Release Notes 
  •  Data-at-rest encryption disable for vSAN ESA 8.0.3. You can disable data-at-rest encryption on vSAN ESA clusters at any point after enabling it. vSAN ESA now supports the following operations for data-at-rest encryption: enable encryption, disable encryption, shallow rekey, and deep rekey.
    VMware vSAN 8.0 Update 3 Release Notes

Prerequisites Before Disabling vSAN Encryption :

  • Ensure you have a recent backup of all critical workloads running on the vSAN datastore.
  • Run vSAN Health Check to confirm the cluster is stable.
  • Ensure no ongoing resync operations or degraded disk groups.
  • Ensure the external KMS or Native Key Provider (NKP) is accessible and operational as it is needed to decrypt the data during the process.
  • Disabling encryption triggers disk format conversion, which requires extra capacity.
  • Ensure there is enough free space in the vSAN cluster to do the format conversion.
  • While disabling encryption the disk usage can be high, thus it is recommended to perform this task during off production hours.

Potential Impact of Disabling vSAN Encryption :

  • All disk groups will be reformatted. This is a process-intensive operation and may take some time.
  • Due to reformatting and data movement, you may observe temporary performance degradation.
  • Data at rest will no longer be encrypted, which can put data at risk in case of disk theft or Return Merchandise Authorization (RMA) where drives are sent back to the manufacturer for replacement.
  • This may violate regulatory compliance (e.g., HIPAA, GDPR, PCI DSS) if encryption is mandated.
  • Improperly disabling encryption without proper key handling can lead to data unavailability.

Additional Information

Enable vSAN Encryption on Existing vSAN Cluster
How vSAN Data-At-Rest Encryption Works

Powered by Wolken Software