We are implementing vSphere Encryption on top of vSAN encryption in a specific solution area. The basic setup is a vSAN cluster in each of 10 data centers. The templates are in one data center and cloned to the clusters in each of the other data centers.
We created the new storage policy called “VSAN-RAID5-FTT1-Encryption” that contains both vSAN FTT/RAID and VM Encryption settings. We then tried to clone to a new VM in another cluster and apply this policy during this process.
This is actually not allowed as shown in the error message received: “Changing or applying VM Storage Policies with Data Service capabilities during clone operations is disallowed. VM Storage Policies with Data Service capabilities can be assigned to the provisioned VM after the clone operation has been completed and before the VM has been powered on.”
To complete this successfully we updated our automation to complete the clone process with the existing vSAN storage policy and then apply the new policy above. This takes more time but it works.