Does enabling encryption on vSAN require on an-disk format change?

vSAN 6.6 shipped earlier this year. It comes with a new on-disk format to support, among other things, data at rest encryption (also known as DARE). This is version 5 of the on-disk format. I’ve been asked this question a number of times over the past week, so I thought I would quickly write a few words on whether or not enabling encryption on vSAN 6.6 requires an on-disk format change, more commonly referred to as a DFC. Now this post is not going to cover vSAN encryption in any great detail; I just want to answer this one question that keeps popping up in conversation.

Let’s discuss the following scenarios:

  1. New install of vSAN 6.6
  2. Upgrade to vSAN 6.6 from an earlier version, which includes upgrading the on-disk format at the same time
  3. Upgrade to vSAN 6.6 from an earlier version, but which postpones the on-disk format upgrade and so the disk groups still have an earlier on-disk format version

If you are deploying  a brand new vSAN 6.6, the on-disk format will be version 5. Therefore no on-disk format change/rolling upgrade/disk group evacuation is required to enable vSAN encryption. We simply need to place a “tag” or “stamp” in the metadata that has been set aside for encryption. Once this metadata is stamped, all writes to the disk are encrypted.

If you upgraded from a previous version of vSAN to vSAN 6.6, and you also included the DFC as part of that process and the on-disk format version is now v5, then enabling encryption is again a simple matter of a metadata update/stamp. No on-disk format change/rolling upgrade/disk group evacuation is required. Once the metadata is stamped, all writes to disk will be encrypted.

Finally, if you upgraded to vSAN 6.6 and you did not do a DFC, and now you wish to enable encryption, you will have to go through the DFC process to enable encryption, which does involve evacuating data from disk groups and doing a DFC in a rolling fashion across all the hosts. This means evacuating all the hosts in the cluster, one at a time, to make the necessary on-disk format changes. Once the on-disk format is upgraded to version 5, we can stamp the metadata to enable encryption which means subsequent writes will be encrypted.

I hope this helps answer the question about whether or not a DFC is required to enable encryption on vSAN 6.6.

4 comments
  1. I went through that VSAN 6.6 upgrade process but I did not have to evacuate my data, VSAN shifts files around when I format the drive (no encryption). Is the evacuate file step is just for the turn on encryption process?

    • You can upgrade to vSAN 6.6 without changing the on-disk format, i.e. leave it at the previous version. However to complete the upgrade and leverage new features such as encryption, you will need to upgrade the on-disk format at some point. This will require a rolling format of disk groups.

  2. > If you upgraded from a previous version of vSAN to vSAN 6.6, and you also included the DFC as part of that process and the on-disk format version is now v5,

    I’m going off memory here, but even if an upgrade had been done to V5, turning on encryption will require another rolling dfc so that all existing data can be encrypted.

    • That is my understanding too Tom. Enabling encryption will only encrypt new writes. However if you already have persistent data, and you wish to gavee that encrypted, then you would need to go through the rolling upgrade process to re-write all of that data, and thus encrypt it.

      Hope you are enjoying your road trip 🙂

Leave a Reply