So not long after my article was published on SearchVMware, the guys at Virtual Blocks (VMware’s own storage blog) released 2 articles which went into vSAN encryption in a bit more detail.
It’s definitely worth noting that using hardware encryption does have an overhead whenever you need to rekey (eg when you need to rekey every drive), obviously because vSAN encryption is within the hypervisor this overhead is significantly reduced.
The First article simply goes over what vSAN encryption is all about, the second dives into more detail on how it’s setup, the trust model of the KMS, and also how the disk format is changed when vSAN encryption is enabled. I find this 2nd article very informative in trying to understand how vSAN encryption works.
There’s also a new KB that briefly goes over the different between vSAN encryption and VM encryption: Understanding vSAN Datastore Encryption vs. VMcrypt Encryption