Methods and apparatus for Virtual Machine (VM) encryption of block storage with end-to-end data integrity protection in a SmartNIC. For a Write operation, the NIC is configured to encrypt a data block, append the encrypted data block with protection information (PI) generated using data in the data block to generate a protected data block and forward the protected data block onto a network or fabric to be delivered to a storage node. For a Read operation, the NIC is configured to receive a protected data block comprising cipher text including encrypted payload data concatenated with an encrypted inner PI and an outer PI, use the inner and outer PIs to perform PI checks, decrypt the cipher text to extract payload data, and forward or write at least the payload to a host. The inner and outer PIs and data formats are compliant with an NVMe specification.