vSphere VMs encryption: encrypt virtual machines - pt.3


Once the KMS Server has been configured and successfully added to the vCenter Server, you are able to encrypt virtual machines.

The access to the encrypted virtual disk requires a correct key owned only by the virtual machine that manages the virtual disk. An unauthorized virtual machine that tries to access the encrypted VMDK without the correct key will receive only meaningless data.


Blog series

vSphere VMs encryption: KMS Server installation - pt.1
vSphere VMs encryption: setup vCenter Server - pt.2
vSphere VMs encryption: encrypt virtual machines - pt.3


How to use encryption

Before proceeding with virtual machines encryption, some recommendation should be kept in mind to avoid problems.

  • Platform Services Controller and vCenter Server virtual machines should not be encrypted.
  • The support bundle used to decrypt a core dump is generated using the ESXi host key. If the host is rebootetd, the host key may change and the support bundle can no longer generated with a password or decrypt core dumps in the support bundle with the host key. For this reason if the host crashes you should retrieve the support bundle as soon as possible.
  • Since .VMX files and .VMDK descriptor files contain the support bundle, do not edit these files otherwise the virtual machine becomes unrecoverable.


Encrypt a virtual machine

The encryption and decryption process of virtual machines is controlled by storage policies. The virtual machine must be powered off before proceeding with encryption.

From the vSphere Web Client right click the virtual machine to encrypt and select VM Policies > Edit VM Storage Policies.


From the VM storage policy drop-down menu, select the VM Encryption Policy option to encrypt the virtual machine.


Click Apply to all then click OK to proceed with encryption.


When the encryption process has completed, go to the virtual machine’s Summary tab. The icon indicates that the selected virtual machine is encrypted and in the VM Hardware widget, a new Encryption field specifies what components are encrypted.



Encrypt the vSAN cluster

If you use vSAN as datastore in your infastructure, you can enable encryption also on your vSAN cluster.

From the vSphere Web Client, select the vSAN cluster and go to Configure tab. Select General under vSAN and click the Edit button in the vSAN is Turned ON area.


Enable Encryption and select the KMS cluster to use. Click OK to apply encryption to your vSAN cluster.


Since encryption affect virtual machines performance, it should be applied only to virtual machines that require a high level of security.



  1. Router Supports 18/09/2018
    • Paolo Valsecchi 19/09/2018
      • Luca 05/02/2020