vSAN 6.6 shipped earlier this year. It comes with a new on-disk format to support, among other things, data at rest encryption (also known as DARE). This is version 5 of the on-disk format. I’ve been asked this question a number of times over the past week, so I thought I would quickly write a few words on whether or not enabling encryption on vSAN 6.6 requires an on-disk format change, more commonly referred to as a DFC. Now this post is not going to cover vSAN encryption in any great detail; I just want to answer this one question that keeps popping up in conversation.
Let’s discuss the following scenarios:
- New install of vSAN 6.6
- Upgrade to vSAN 6.6 from an earlier version, which includes upgrading the on-disk format at the same time
- Upgrade to vSAN 6.6 from an earlier version, but which postpones the on-disk format upgrade and so the disk groups still have an earlier on-disk format version
If you are deploying a brand new vSAN 6.6, the on-disk format will be version 5. Therefore no on-disk format change/rolling upgrade/disk group evacuation is required to enable vSAN encryption. We simply need to place a “tag” or “stamp” in the metadata that has been set aside for encryption. Once this metadata is stamped, all writes to the disk are encrypted.
If you upgraded from a previous version of vSAN to vSAN 6.6, and you also included the DFC as part of that process and the on-disk format version is now v5, then enabling encryption is again a simple matter of a metadata update/stamp. No on-disk format change/rolling upgrade/disk group evacuation is required. Once the metadata is stamped, all writes to disk will be encrypted.
Finally, if you upgraded to vSAN 6.6 and you did not do a DFC, and now you wish to enable encryption, you will have to go through the DFC process to enable encryption, which does involve evacuating data from disk groups and doing a DFC in a rolling fashion across all the hosts. This means evacuating all the hosts in the cluster, one at a time, to make the necessary on-disk format changes. Once the on-disk format is upgraded to version 5, we can stamp the metadata to enable encryption which means subsequent writes will be encrypted.
I hope this helps answer the question about whether or not a DFC is required to enable encryption on vSAN 6.6.