Configure VM and vSAN encryption in vSphere

Now that you have set up the KMES Series 3 as a key provider in vCenter Server, vSphere users with the required privileges can do the following tasks:

Create encrypted virtual machines and disks (see docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-431FDB2F-7F34-468D-9D6B-BC5E95279237.html) -Encrypt existing virtual machines (see docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-5E2C3F74-38C1-44C3-ABC5-C2C9353B9DC4.html) -Decrypt encrypted virtual machines (see docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-3E65311F-996A-4D00-9991-D61A2B7FC3CA.html) -Add Virtual Trusted Platform Modules (vTPMs) to virtual machines(see docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-A43B6914-E5F9-4CB1-9277-448AC9C467FB.html)
Encrypt data-in transit for vSAN clusters (see docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-10099331-92E7-41AF-BCAA-88DB4B4A4B7B.html) -Encrypt dataat-rest in vSAN datastores (see docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-39717910-373F-4F71-98AE-D45C0ACBA061.html)

This section demonstrates encrypting an existing virtual machine. Refer to the preceding VMware documentation links for instructions on performing the other various encryption tasks that the vSphere and KMES Series 3 KMIP integration makes possible.

Encrypting an existing virtual machine

You can encrypt existing virtual machines or virtual disks with vSphere client by changing their storage policy. However, you can encrypt virtual disks only for encrypted virtual machines.

Ensure that the virtual machine is powered off before beginning.

Right-click the virtual machine that you want to change and select VM Policies > Edit VM Storage Policies.You can set the storage policy for the virtual machine files, represented by VM home, and the storage policy for virtual disks.

Select the VM Encryption Policy in the drop-down menu.

To encrypt the VM and its hard disks, select an encryption storage policy and select [ OK ].
To encrypt the VM but not the virtual disks, toggle on Configure per disk, select the encryption storage policy for VM Home and other storage policies for the virtual disks, and select [ OK ].

(Optional) If you prefer, you can encrypt the virtual machine or both the virtual machine and disks from the Edit Settings menu in the vSphere Client. Perform the following steps:

Right-click the virtual machine and select Edit Settings.
Go to the VM Options tab and open Encryption.
Choose an encryption policy. If you deselect all disks, only the VM home is encrypted.
Select [ OK ].

If the VM encryption operation succeeds, the task status displays as Completed.

View the key

Perform the following steps to view the key that vSphere created on the KMES:

Go to Key Management > Keys and expand the default application key group by selecting the group name.

You can see the AES-256 symmetric key that vSphere created and used to encrypt the virtual machine in the previous step.

Overview

Certificate Authority

Cloud key management

Code signing

Credential management

Certificate management

Data protection

Data storage

Database

Endpoint management

DNS

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

Secure printing

SSH

Virtualization

VPN

Configure VM and vSAN encryption in vSphere

Encrypting an existing virtual machine

View the key

Overview

Certificate Authority

Cloud key management

Code signing

Credential management

Certificate management

Data protection

Data storage

Database

Endpoint management

DNS

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

Secure printing

SSH

Virtualization

VPN

Documentation Index

​Encrypting an existing virtual machine

​View the key

Encrypting an existing virtual machine

View the key