Does enabling encryption on vSAN require on an-disk format change?

vSAN 6.6 shipped earlier this year. It comes with a new on-disk format to support, among other things, data at rest encryption (also known as DARE). This is version 5 of the on-disk format. I’ve been asked this question a number of times over the past week, so I thought I would quickly write a few words on whether or not enabling encryption on vSAN 6.6 requires an on-disk format change, more commonly referred to as a DFC. Now this post is not going to cover vSAN encryption in any great detail; I just want to answer this one question that keeps popping up in conversation.

Let’s discuss the following scenarios:

  1. New install of vSAN 6.6
  2. Upgrade to vSAN 6.6 from an earlier version, which includes upgrading the on-disk format at the same time
  3. Upgrade to vSAN 6.6 from an earlier version, but which postpones the on-disk format upgrade and so the disk groups still have an earlier on-disk format version

[Updated – Aug 2017] If you are deploying  a brand new vSAN 6.6, the on-disk format will be version 5. However, to enable encryption, an on-disk format change/rolling upgrade/disk group evacuation (called a DFC – disk format change) is required to write the new Disk Encryption Keys (DEK) from the Key Management Server down to disk. Once complete, all subsequent writes to the disk are encrypted.

If you upgraded from a previous version of vSAN to vSAN 6.6, and you also included an upgrade to on-disk format version v5 as part of the process, then enabling encryption also needs a DFC, same as previously. Once this is done, all writes to disk will be encrypted.

Finally, if you upgraded to vSAN 6.6 and you did not upgrade the on-disk format (say you are still at V3), and now you wish to enable encryption, you will have to upgrade the on-disk format version (which is just a metadata update that does not require a DFC), then go through the DFC process to enable encryption. This means evacuating all the hosts in the cluster, one at a time, to write the DEKS to disk. Once the on-disk format is upgraded to version 5 and encryption is enabled, all subsequent writes will be encrypted.

Note that converting from on-disk version 3 to version 5 only requires a meta-data update to the disk group format. No data evacuation is required.

I hope this helps answer the question about whether or not a DFC is required to enable encryption on vSAN 6.6.

4 comments
  1. I went through that VSAN 6.6 upgrade process but I did not have to evacuate my data, VSAN shifts files around when I format the drive (no encryption). Is the evacuate file step is just for the turn on encryption process?

    • You can upgrade to vSAN 6.6 without changing the on-disk format, i.e. leave it at the previous version. However to complete the upgrade and leverage new features such as encryption, you will need to upgrade the on-disk format at some point. This will require a rolling format of disk groups.

  2. > If you upgraded from a previous version of vSAN to vSAN 6.6, and you also included the DFC as part of that process and the on-disk format version is now v5,

    I’m going off memory here, but even if an upgrade had been done to V5, turning on encryption will require another rolling dfc so that all existing data can be encrypted.

    • That is my understanding too Tom. Enabling encryption will only encrypt new writes. However if you already have persistent data, and you wish to have that encrypted, then you would need to go through the rolling upgrade process to re-write all of that data, and thus encrypt it.

      Hope you are enjoying your road trip 🙂

Leave a Reply