Encrypt VM and vSAN in vSphere

now that you set {{ch}} as a key provider in vcenter server, vsphere users with the required privileges can create encrypted virtual machines and disks ( docs vmware com/en/vmware vsphere/7 0/com vmware vsphere security doc/guid 431fdb2f 7f34 468d 9d6b bc5e95279237 html ) with those privileges, you can also do the following actions encrypt existing virtual machines ( docs vmware com/en/vmware vsphere/7 0/com vmware vsphere vm admin doc/guid 5e2c3f74 38c1 44c3 abc5 c2c9353b9dc4 html ) decrypt encrypted virtual machines ( docs vmware com/en/vmware vsphere/7 0/com vmware vsphere vm admin doc/guid 3e65311f 996a 4d00 9991 d61a2b7fc3ca html ) add virtual trusted platform modules (vtpms) to virtual machines ( docs vmware com/en/vmware vsphere/7 0/com vmware vsphere security doc/guid a43b6914 e5f9 4cb1 9277 448ac9c467fb html ) in addition to virtual machine encryption, you can encrypt data in transit for vsan clusters and encrypt data at rest in vsan datastores this section demonstrates how to encrypt an existing virtual machine refer to the preceding vmware documentation links for instructions on performing the other encryption tasks that the vsphere {{ch}} kmip integration enables encrypt an existing virtual machine you can encrypt existing virtual machines or virtual disks with the vsphere client by changing their storage policy however, you can only encrypt virtual disks for encrypted virtual machines ensure that the virtual machine is powered off log in to the vcenter server system with the vsphere client right click the virtual machine that you want to change and select vm policies > edit vm storage policies you can set the storage policy for the virtual machine files, represented by vm home, and the storage policy for virtual disks select the vm encryption policy in the drop down list then, choose one of the following options to encrypt the vm and its hard disks, select an encryption storage policy and select \[ ok ] to encrypt the vm but not the virtual disks, toggle configure per disk on, select the encryption storage policy for vm home and other storage policies for the virtual disks, and select \[ ok ] you can also encrypt the virtual machine, or both virtual machine and disks, from the edit settings menu in the vsphere client right click the virtual machine and select edit settings go to the vm options tab and open encryption choose an encryption policy if you deselect all disks, only the vm home is encrypted select \[ ok ] if the vm encryption operation succeeds, the task status displays as completed