It is well known that encryption is already being taken into consideration for passwords being stored in Symantec PAM database, but that might still not prevent someone from mounting a detached PAM volume and extracting valuable information from the data available, unless some kind of encryption is provided for at filesystem level. So the question arises whether there  is such a level of encryption and also if other supplementary encryption (e.g. KMS) should as well be required

Symantec PAM all versions

When PAM is provisioned the first time partition /dev/sda1 (/dev/xvda1) of the PAM disk is encrypted using aes128 (as of October 2022) encryption and made a loop device (using loop-aes utilities), and that is what is mounted as the root filesystem /

That loop device is the one which is used seamlessly during PAM operation.

Partition /dev/sda2 (/dev/xdva2 in AWS) mounted on /boot is not encrypted, but it is the only thing that is not, and it just contains the files necessary to boot the appliance.

This encryption makes sure that even if the PAM disk is detached and you try to attach it to another machine, it will not be possible to mount the root partition to use it. 

Regarding using other supplementary encryption methods to encrypt the already encrypted partitions for on premises virtual machines (e.g. VMWARE), this has not been tested with Symantec PAM as of the writing of the present document (October 2022). The effect of such supplementary encryption on PAM operation is thus unknown.

In the case of cloud systems, such as Azure, Google Cloud or Amazon AWS, however, whenever disks are set up they are encrypted as per the requirements of those cloud vendors, so there will be a whole disk encryption, and on top of that the process described in this article for encrypting the /dev/sda1 partition will be applied.