Search the VMware Knowledge Base (KB)
View by Article ID

Understanding vSAN Datastore Encryption vs. VMcrypt Encryption (2148947)

  • 0 Ratings
Language Editions


When using VMware vSAN, there are two choices for data encryption of Virtual Machine (VM) data. VM data can be encrypted using vSAN whole-datastore encryption or VMware's VMcrypt solution. There are important differences between these two methods, and this article will compare both encryption solutions.


vSAN datastore encryption and VMcrypt VM encryption vary in several key areas. Please see the following table for a feature comparison.

vSAN Encryption
VMcrypt Encryption
Uses an external key-management server (KMS)

Per-VM Encryption
Whole-datastore encryption
Data-at-rest encryption
End-to-end encryption
VMs encrypted by Placement on datastore
Storage Policy
Encryption occurs*
After deduplication
Before deduplication

* While VMcrypt and vSAN are mutually compatible, VMcrypt writes an encrypted data stream whereas vSAN encryption receives an unencrypted data stream and encrypts it during the write process. As the encrypted data written by VMcrypt (or any other end-to-end encryption scheme) appears to be random, it does not deduplicate well. If using VMcrypt with vSAN deduplication, expect deduplication efficiency to approach zero for encrypted VMs. If both encryption and high deduplication efficiency are required, use vSAN whole-datastore encryption.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 0 Ratings