vSAN datastore encryption and VMcrypt VM encryption vary in several key areas. Please see the following table for a feature comparison.
Feature/Function | vSAN Encryption | VMcrypt Encryption |
Uses an external key-management server (KMS) | √ | √ |
Per-VM Encryption | X | √ |
Whole-datastore encryption | √ | X |
Data-at-rest encryption | √ | √ |
End-to-end encryption | X | √ |
VMs encrypted by | Placement on datastore | Storage Policy |
Encryption occurs* | After deduplication | Before deduplication |
* While VMcrypt and vSAN are mutually compatible, VMcrypt writes an encrypted data stream whereas vSAN encryption receives an unencrypted data stream and encrypts it during the write process. As the encrypted data written by VMcrypt (or any other end-to-end encryption scheme) appears to be random, it does not deduplicate well. If using VMcrypt with vSAN deduplication, expect deduplication efficiency to approach zero for encrypted VMs. If both encryption and high deduplication efficiency are required, use vSAN whole-datastore encryption.
Note: Dual encryption will significantly increase CPU overhead as now data is encrypted (and decrypted) twice. Please ensure dual encryption is not turned on unless it was intended.