Let’s discuss the following scenarios:
- New install of vSAN 6.6
- Upgrade to vSAN 6.6 from an earlier version, which includes upgrading the on-disk format at the same time
- Upgrade to vSAN 6.6 from an earlier version, but which postpones the on-disk format upgrade and so the disk groups still have an earlier on-disk format version
[Updated – Aug 2017] If you are deploying a brand new vSAN 6.6, the on-disk format will be version 5. However, to enable encryption, an on-disk format change/rolling upgrade/disk group evacuation (called a DFC – disk format change) is required to write the new Disk Encryption Keys (DEK) from the Key Management Server down to disk. Once complete, all subsequent writes to the disk are encrypted.
If you upgraded from a previous version of vSAN to vSAN 6.6, and you also included an upgrade to on-disk format version v5 as part of the process, then enabling encryption also needs a DFC, same as previously. Once this is done, all writes to disk will be encrypted.
Finally, if you upgraded to vSAN 6.6 and you did not upgrade the on-disk format (say you are still at V3), and now you wish to enable encryption, you will have to upgrade the on-disk format version (which is just a metadata update that does not require a DFC), then go through the DFC process to enable encryption. This means evacuating all the hosts in the cluster, one at a time, to write the DEKS to disk. Once the on-disk format is upgraded to version 5 and encryption is enabled, all subsequent writes will be encrypted.
Note that converting from on-disk version 3 to version 5 only requires a meta-data update to the disk group format. No data evacuation is required.
I hope this helps answer the question about whether or not a DFC is required to enable encryption on vSAN 6.6.