Site icon

Does enabling encryption on vSAN require on an-disk format change?

vSAN 6.6 shipped earlier this year. It comes with a new on-disk format to support, among other things, data at rest encryption (also known as DARE). This is version 5 of the on-disk format. I’ve been asked this question a number of times over the past week, so I thought I would quickly write a few words on whether or not enabling encryption on vSAN 6.6 requires an on-disk format change, more commonly referred to as a DFC. Now this post is not going to cover vSAN encryption in any great detail; I just want to answer this one question that keeps popping up in conversation.

Let’s discuss the following scenarios:

  1. New install of vSAN 6.6
  2. Upgrade to vSAN 6.6 from an earlier version, which includes upgrading the on-disk format at the same time
  3. Upgrade to vSAN 6.6 from an earlier version, but which postpones the on-disk format upgrade and so the disk groups still have an earlier on-disk format version

[Updated – Aug 2017] If you are deploying  a brand new vSAN 6.6, the on-disk format will be version 5. However, to enable encryption, an on-disk format change/rolling upgrade/disk group evacuation (called a DFC – disk format change) is required to write the new Disk Encryption Keys (DEK) from the Key Management Server down to disk. Once complete, all subsequent writes to the disk are encrypted.

If you upgraded from a previous version of vSAN to vSAN 6.6, and you also included an upgrade to on-disk format version v5 as part of the process, then enabling encryption also needs a DFC, same as previously. Once this is done, all writes to disk will be encrypted.

Finally, if you upgraded to vSAN 6.6 and you did not upgrade the on-disk format (say you are still at V3), and now you wish to enable encryption, you will have to upgrade the on-disk format version (which is just a metadata update that does not require a DFC), then go through the DFC process to enable encryption. This means evacuating all the hosts in the cluster, one at a time, to write the DEKS to disk. Once the on-disk format is upgraded to version 5 and encryption is enabled, all subsequent writes will be encrypted.

Note that converting from on-disk version 3 to version 5 only requires a meta-data update to the disk group format. No data evacuation is required.

I hope this helps answer the question about whether or not a DFC is required to enable encryption on vSAN 6.6.

Exit mobile version