Encrypting a vSAN 6.6 Datastore
Step 1: Select your vCenter Server, click on Configure, select Key Management Servers and click on the Green Plus Sign. Specify the name of the KMS cluster, the IP address and a port to use. Currently, there are two supported KMS Servers (Hytrust and EMC). The KMS servers need to be KMIP 1.1 compliant.
Step 2: You will have to establish a trust relationship with the KMS server. Since different KMS servers are supported, you will have to select the type of certificate to download. Different choices are available.
Step 3: Verify that the connection state is Normal and that the procedure succeeded.
Step 4: Select your vSAN cluster, click on Configure, select General and click on Edit. Enable Encryption. The KMS related information should be automatically populated. Click on OK.
Step 5: Once you enable Encryption, every disk will be reformatted. This process will take time. The amount of time will depend on how many drives need to be formatted and the size of the drives.
Once this is done, the entire datastore is encrypted. Encryption works with both the hybrid solution as well as the all-flash. If new servers are added to the cluster, the disk groups created on the new host will be formatted to support encryption.