Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Dell VxRail Architecture Overview



To prevent sensitive information from reaching the wrong people while ensuring appropriate, authorized access to the data of a company is a fundamental problem summed up as confidentiality or privacy. VxRail addresses the confidentiality of data in use (in a VM), data in motion (during VMware vSphere vMotion), and data at rest (stored in VMware vSAN).

VM encryption

VM encryption provides the flexibility to enable encryption on a per-VM basis, which means that a single cluster can have encrypted and nonencrypted VMs. VM encryption follows the VM wherever it is hosted. So even if the VM were moved to a data store outside VxRail, it would remain encrypted. For more information, see Virtual Machine Encryption.

VMware vSphere vMotion encryption

VxRail supports encrypted VMware vSphere vMotion, where VMs are encrypted when they are moved between hosts. This includes VMware vSphere vMotion migrations within a VxRail and VMware vSphere vMotion migrations to or from a VxRail cluster within a VMware vCenter Server instance. Encrypted VMware vSphere vMotion can be used with VMware vSAN encryption to have data at rest encryption and data-in-transit encryption. Encrypted VMware vSphere vMotion is enforced for VMs with VMware vSphere Encryption enabled. For more information, see Encrypted vSphere vMotion.

Data-at-rest encryption

VMware vSAN encryption encrypts data-at-rest (D@RE) on the VMware vSAN data store. D@RE from VMware vSAN offers FIPS 140-2 verified security that can be used with VxRail to encrypt a data store. In addition to protecting your workloads, VMware vSAN encryption is the easiest and most flexible way to encrypt D@RE because the entire VMware vSAN data store is encrypted with a single setting. This encryption is cluster-wide for all VMs using the data store. Encrypted VM data typically does not benefit from space reduction techniques such as deduplication or compression. VMware vSAN encryption is performed after deduplication and compression, so the full benefit of these space reduction techniques is maintained. For more information, see VMware vSAN Data-At-Rest Encryption.

Figure 1. VMware vSAN encryption on VxRail cluster
VMware vSAN encryption on VxRail cluster

VMware vSphere also supports encryption at the VM layer as an option to VMware vSAN encryption. Starting with VxRail 7.0.200, the native key provider that is embedded with VMware vCenter Server can be used for encryption purposes.

Figure 2. VM encryption on VxRail cluster
VM encryption on VxRail cluster

VMware vSAN encryption

The following encryption key provider options are available depending on the VMware vCenter Server deployment:

  • VxRail-managed VMware vCenter Server supports both native key provider and standard key provider methods.​
  • Customer-managed VMware vCenter Server supports only the native key provider method.​


Trusted Platform Module (TPM) is a specialized chip that is built into the PowerEdge platform.​ The features of TPM are:

  • Use TPM to determine the trustworthiness of a host to be part of a cluster.​ TPM enforces software integrity through signed VIBs, assuring that only authorized software is installed on hosts.​
  • TPM supports the storing of keys for VMware vSAN encryption in a more secure and accessible location than in a local cache. Keys that are stored in TPM persist after a reboot operation, while keys stored in a local cache do not persist after a reboot. You should enable key persistence in ESXi.
  • TPM supports secure booting of VxRail nodes to prevent unauthorized access to systems.​

VxRail 8.0 supports TPM 2.0 only.​ Before reimaging or upgrading VxRail nodes to VxRail 8.0, upgrade TPM chip on each node to TPM version 2.0 only if:

  • You are planning to enable TPM on nodes as part of the security policy​.
  • The older version of TPM is configured on VxRail nodes.​

To use VMware vSAN ESA encryption with TPM, enable TPM in BIOS on each VxRail node to be a member of the encrypted VMware vSAN ESA data store.​

Rate this content

Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\