Virtualization
VMware vSphere

Configure VM and vSAN encryption in vSphere

3min

Now that you set up the as a key provider in vCenter Server, vSphere users with the required privileges can create encrypted virtual machines and disks. They can also encrypt existing virtual machines and decrypt encrypted virtual machines, and add Virtual Trusted Platform Modules (vTPMs) to virtual machines.

In addition to virtual machine encryption, you can encrypt data-in transit for vSAN clusters, and encrypt dataat-rest in vSAN datastores.

This section demonstrates encrypting an existing virtual machine. Refer to the preceding VMware documentation links for instructions on performing the other various encryption tasks that the vSphere and KMIP integration makes possible.

Encrypting an existing virtual machine with vSphere client

You can encrypt existing virtual machines or virtual disks by changing their storage policy. However, you can encrypt virtual disks only for encrypted virtual machines.

Ensure that the virtual machine is powered off before beginning.

1

Log in to the vCenter Server system with the vSphere Client.

2

Right-click the virtual machine that you want to change and select VM Policies > Edit VM Storage Policies.

You can set the storage policy for the virtual machine files, represented by VM home, and the storage policy for virtual disks.

3

Select the VM Encryption Policy in the drop-down menu.

4

To encrypt the VM and its hard disks, select an encryption storage policy and select [ OK ].

5

To encrypt the VM but not the virtual disks, toggle on Configure per disk, select the encryption storage policy for VM Home and other storage policies for the virtual disks and select [ OK ].

6

(Optional) If you prefer, you can encrypt the virtual machine, or both virtual machine and disks, from the Edit Settings menu in the vSphere Client. Perform the following steps:

  1. Right-click the virtual machine and select Edit Settings.
  2. Go to the VM Options tab and open Encryption.
  3. Choose an encryption policy. If you deselect all disks, only the VM home is encrypted.
  4. Select [ OK ].

If the VM encryption operation succeeds, the status of the task will show as Completed.

View the key that vSphere created on the KMES

1

Log in to the application interface with the default Admin users.

2

Go to Key Management > Keys and expand the default application key group by selecting the group name.

You can see the AES-256 symmetric key that the vSphere created and used to encrypt the virtual machine in the previous step.



Updated 30 Apr 2024
Did this page help you?
PREVIOUS
Create an identity and role on the KMES Series 3 for vCenter Server
Docs powered by Archbee