September 15, 2022

Cluster Level Encryption with the vSAN Express Storage Architecture

Data encryption is a critical step in the effort of meeting security-based regulatory requirements. Often encryption adds significant cost, complexity and considerations for performance impact. With VMware vSAN™ 8 significant improvements have been made to power the compute overhead of encryption, while maintaining a simple and easy to operate experience. vSAN 8 Encryption helps deliver rich data services without compromising usability, cost or peformance.


While the original storage architecture of vSAN provides discrete data encryption services for encrypting the data in a vSAN cluster, the vSAN 8 ESA takes an all-new approach to data encryption.  It remains as a cluster-based service, but much like the compression feature in the vSAN 8 ESA, encryption occurs in the upper layers of vSAN, as it receives incoming writes, but after compression occurs.  This encryption step only occurs once, and since it occurs high in the stack, means that all vSAN traffic transmitted in flight across hosts will also be encrypted.  The result is improved security without compromise, as it there is far less effort and overhead to perform encryption when compared to previous implementations.

Efficiency under the hood

To fully understand the improvements they need to be placed into context of other improvements made with compression, and the removal of the need for dedicated cache tier devices as part of Express Storage Architecture. In addition the DEK is shared by all hosts in the cluster so data can be moved, repaired or read between hosts without needing to be decrypted. Compared to the original vSAN architecture, it dramatically reduces the resource cost for every I/O processed.  For example:

  • A block that is compressed by 2:1, or half its original size, will only use half of the CPU cycles to encrypt it when compared to the unencrypted data.
  • Unlike previous releases of vSAN data that is being moved, read or re-synchronized does not need to be decompressed before it is transported. 
  • The compression ratio will have a material impact on network bandwidth.  A block compressed by 2:1, or half its’ original size, will only use half of the network bandwidth for a read and write operation
  • Encryption only occurs once in the stack, and compared to the original storage architecture, removes an entire decrypt and re-encrypt procedure. Previously data needed to be decrypted leaving the cache device, before it could be compressed and then would need to be re-encrypted again.

Diagram showing vSAN ESA processing data services at the host where the virtual machine is running vs. the OSA method where the services ran where the data lived.

vSAN Encryption Operations

The benefits of  the Express Storage Architecture go beyond improvements to encryption. combined with the new file system, improvements to checksum, compression performance the total CPU load to process a given IO can be reduced to a third or less of what was required with the vSAN original storage architecture. In addition the vSphere Native Key Provider allows customers to setup encryption with only a few clicks and without the need for a dedicated external key manager. vSAN encryption in Transit remains an option from before. For customers with specific compliance requirements it remains an option that can be enabled in addition to the new at rest encryption system. At this time, encryption on a vSAN 8 ESA cluster needs to be enabled at cluster creation.

Additional vSAN encryption resources

A list of frequently asked questions on vSAN Encryption Services can be found in the "Security" section of the vSAN FAQs.




Filter Tags

Security Storage vSAN vSAN 8 vSAN Encryption Blog Announcement What's New Overview Design Planning