Understanding vSAN Datastore Encryption vs. VMcrypt Encryption
Article ID: 319929
Updated On:
Products
VMware vSAN
Issue/Introduction
When using VMware vSAN, there are two choices for data encryption of Virtual Machine (VM) data. VM data can be encrypted using vSAN whole-datastore encryption or VMware's VMcrypt solution. There are important differences between these two methods, and this article will compare both encryption solutions.
Environment
VMware vSAN 7.0.x
VMware vSAN 6.6.x
VMware vSAN 8.0.x
VMware vSAN 6.6.x
VMware vSAN 8.0.x
Resolution
vSAN datastore encryption and VMcrypt VM encryption vary in several key areas. Please see the following table for a feature comparison.
* While VMcrypt and vSAN are mutually compatible, VMcrypt writes an encrypted data stream whereas vSAN encryption receives an unencrypted data stream and encrypts it during the write process. As the encrypted data written by VMcrypt (or any other end-to-end encryption scheme) appears to be random, it does not deduplicate well. If using VMcrypt with vSAN deduplication, expect deduplication efficiency to approach zero for encrypted VMs. If both encryption and high deduplication efficiency are required, use vSAN whole-datastore encryption.
Note: Dual encryption will significantly increase CPU overhead as now data is encrypted (and decrypted) twice. Please ensure dual encryption is not turned on unless it was intended.
| Feature/Function | vSAN Encryption | VMcrypt Encryption |
| Uses an external key-management server (KMS) | √ | √ |
| Per-VM Encryption | X | √ |
| Whole-datastore encryption | √ | X |
| Data-at-rest encryption | √ | √ |
| End-to-end encryption | X | √ |
| VMs encrypted by | Placement on datastore | Storage Policy |
| Encryption occurs* | After deduplication | Before deduplication |
* While VMcrypt and vSAN are mutually compatible, VMcrypt writes an encrypted data stream whereas vSAN encryption receives an unencrypted data stream and encrypts it during the write process. As the encrypted data written by VMcrypt (or any other end-to-end encryption scheme) appears to be random, it does not deduplicate well. If using VMcrypt with vSAN deduplication, expect deduplication efficiency to approach zero for encrypted VMs. If both encryption and high deduplication efficiency are required, use vSAN whole-datastore encryption.
Note: Dual encryption will significantly increase CPU overhead as now data is encrypted (and decrypted) twice. Please ensure dual encryption is not turned on unless it was intended.
Additional Information
Feedback
Yes
No
Powered by
