I’ve seen a few questions around this and I wanted to put together a quick post to put them to rest. Long story short, vSphere Replication and SRM work together the same with vSAN Encryption turned on as they do with it turned off. The reason for this is that vSAN encryption happens at the last/lowest layer or stage of the I/O path, just before the data is written to disk for writes and just after it is first read from the disk for reads. This is the case for both the capacity tier as well as the cache tier.
The benefit to doing it at the lowest level goes to the point of this post, it ensures that vSAN features like dedup, compression, erasure coding and stretched clusters as well as vSphere features like HA, FT, vMotion and vSphere Replication just work.
I recorded a demo to show what this interoperability looks like in action, take a look:
If you have more questions around the specifics of vSAN Encryption take a look at these links:
vSAN 6.6 Native Data at Rest Encryption – VirtualBlocks
vSAN Native Encryption – Part 1 and Part 2
vSAN Encryption vs. VM Encryption – YellowBricks
Does Enabling vSAN Encryption require a disk format change? – CormacHogan.com
