There are different possible options to store your data securely, which are as follows:

• Encryption at storage physical level: This is done by using self-encrypting drives (SEDs) using full disk encryption, also known as hardware-based full-disk encryption (FDE). Opal Storage Specification is a set of specifications for SEDs developed by the Trusted Computing Group. However, these types of disks are quite costly and also require controllers or storage that support this feature.
• Encryption at storage logic level: This is done by using vSAN encryption that uses an AES 256 cipher and eliminates the extra cost, limitations, and complexity associated with purchasing and maintaining SEDs. vSAN datastore encryption is enabled and configured at the datastore level. In other words, every object on the vSAN datastore is encrypted when this feature is enabled.
• Encryption at VM level: This is a new feature of the vSphere 6.5 Enterprise Plus edition. Previously, it was only possible with third-party products.
• Encryption inside the VM: Consider, for example, using Microsoft BitLocker, or using a Linux-encrypted filesystem (with losetup, luks, or other tools).

For more information, check the following guide, How vSphere Virtual Machine Encryption Protects Your Environment, available at https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-8D7D09AC-8579-4A33-9449-8E8BA49A3003.html.