Encrypt VM and vSAN in vSphere

now that you set {{ch}} as a key provider in vcenter server, vsphere users with the required privileges can create encrypted virtual machines and disks https //docs vmware com/en/vmware vsphere/7 0/com vmware vsphere security doc/guid 431fdb2f 7f34 468d 9d6b bc5e95279237 html with those privileges, you can also encrypt existing virtual machines https //docs vmware com/en/vmware vsphere/7 0/com vmware vsphere vm admin doc/guid 5e2c3f74 38c1 44c3 abc5 c2c9353b9dc4 html , decrypt encrypted virtual machines https //docs vmware com/en/vmware vsphere/7 0/com vmware vsphere vm admin doc/guid 3e65311f 996a 4d00 9991 d61a2b7fc3ca html , and add virtual trusted platform modules (vtpms) to virtual machines https //docs vmware com/en/vmware vsphere/7 0/com vmware vsphere security doc/guid a43b6914 e5f9 4cb1 9277 448ac9c467fb html in addition to virtual machine encryption, you can encrypt data in transit for vsan clusters and encrypt data at rest in vsan datastores this section demonstrates encrypting an existing virtual machine refer to the preceding vmware documentation links for instructions on performing the other encryption tasks that the vsphere {{ch}} kmip integration makes possible encrypt an existing virtual machine with the vsphere client you can encrypt existing virtual machines or virtual disks by changing their storage policy however, you can only encrypt virtual disks for encrypted virtual machines ensure that the virtual machine is powered off log in to the vcenter server system with the vsphere client right click the virtual machine that you want to change and select vm policies > edit vm storage policies you can set the storage policy for the virtual machine files, represented by vm home, and the storage policy for virtual disks select the vm encryption policy in the drop down list then, choose one of the following options to encrypt the vm and its hard disks, select an encryption storage policy and select \[ ok ] to encrypt the vm but not the virtual disks, toggle configure per disk on, select the encryption storage policy for vm home and other storage policies for the virtual disks, and select \[ ok ] you can also encrypt the virtual machine, or both virtual machine and disks, from the edit settings menu in the vsphere client right click the virtual machine and select edit settings go to the vm options tab and open encryption choose an encryption policy if you deselect all disks, only the vm home is encrypted select \[ ok ] if the vm encryption operation succeeds, the task status displays as completed