We are implementing vSphere Encryption on top of vSAN encryption in a specific solution area. The basic setup is a vSAN cluster in each of 10 data centers. The templates are in one data center and cloned to the clusters in each of the other data centers.
We created the new storage policy called “VSAN-RAID5-FTT1-Encryption” that contains both vSAN FTT/RAID and VM Encryption settings. We then tried to clone to a new VM in another cluster and apply this policy during this process.
This is actually not allowed as shown in the error message received: “Changing or applying VM Storage Policies with Data Service capabilities during clone operations is disallowed. VM Storage Policies with Data Service capabilities can be assigned to the provisioned VM after the clone operation has been completed and before the VM has been powered on.”
To complete this successfully we updated our automation to complete the clone process with the existing vSAN storage policy and then apply the new policy above. This takes more time but it works.
vEric: 
Why are you double-encrypting?
Yo, Dawg. I heard you like encryption so I encrypted your encryption with more encryption….
Only doing it for DC’s as there’s concern from security staff that someone will export the VM and be able to get all user account info. I told them if they can export a DC VM then they can export the HyTrust appliance and vCenter KMS settings as well so no need. Their new response is to enable BitLocker as well. SMH
But that’s why you architect in separation.. If they are that concerned then build a cluster for them that runs HyTrust and you’re good. Double encrypting adds no security unless you are using two different key managers. And even then, it’s really not. And enabling Bitlocker is retarded.
Agreed on all points. KMS lives in different cluster on different PSC domains so if they “shouldn’t” be able to export it, unless they have creds which would get them into all vCenter’s.
Oh security people…. never change. You keep me employed with your complete inability to understand technology.
Yup. Right now I’m fighting to get another vROps appliance deployed in our Corp space. They say there’s over 200 vulnerabilities. They want to know what VMware is going to do to correct them all but yet they approved it to run in our DoD environment a couple years ago.