The vCenter Server must enable data in transit encryption for vSAN.
Transit encryption must be enabled to prevent unauthorized disclosure information and to protect the confidentiality of organizational information.
vSAN data-in-transit encryption has the following characteristics:
-vSAN uses AES-256 bit encryption on data in transit.
-Forward secrecy is enforced for vSAN data-in-transit encryption.
-Traffic between data hosts and witness hosts is encrypted.
-File service data traffic between the VDFS proxy and VDFS server is encrypted.
-vSAN file services inter-host connections are encrypted.
-vSAN uses symmetric keys that are generated dynamically and shared between hosts. Hosts dynamically generate an encryption key when they establish a connection, and they use the key to encrypt all traffic between the hosts. You do not need a key management server to perform data-in-transit encryption.
Each host is authenticated when it joins the cluster, ensuring connections only to trusted hosts are allowed. When a host is removed from the cluster, it is authentication certificate is removed.
vSAN data-in-transit encryption is a cluster-wide setting. When enabled, all data and metadata traffic is encrypted as it transits across hosts.