Configure VM and vSAN encryption in vSphere

now that you have set up the {{k3}} as a key provider in vcenter server, vsphere users with the required privileges can do the following tasks create encrypted virtual machines and disks (see docs vmware com/en/vmware vsphere/7 0/com vmware vsphere security doc/guid 431fdb2f 7f34 468d 9d6b bc5e95279237 html ) encrypt existing virtual machines (see docs vmware com/en/vmware vsphere/7 0/com vmware vsphere vm admin doc/guid 5e2c3f74 38c1 44c3 abc5 c2c9353b9dc4 html ) decrypt encrypted virtual machines (see docs vmware com/en/vmware vsphere/7 0/com vmware vsphere vm admin doc/guid 3e65311f 996a 4d00 9991 d61a2b7fc3ca html ) add virtual trusted platform modules (vtpms) to virtual machines (see docs vmware com/en/vmware vsphere/7 0/com vmware vsphere security doc/guid a43b6914 e5f9 4cb1 9277 448ac9c467fb html ) encrypt data in transit for vsan clusters (see docs vmware com/en/vmware vsphere/7 0/com vmware vsphere vsan doc/guid 10099331 92e7 41af bcaa 88db4b4a4b7b html ) encrypt dataat rest in vsan datastores (see docs vmware com/en/vmware vsphere/7 0/com vmware vsphere vsan doc/guid 39717910 373f 4f71 98ae d45c0acba061 html ) this section demonstrates encrypting an existing virtual machine refer to the preceding vmware documentation links for instructions on performing the other various encryption tasks that the vsphere and {{k3}} kmip integration makes possible encrypting an existing virtual machine you can encrypt existing virtual machines or virtual disks with vsphere client by changing their storage policy however, you can encrypt virtual disks only for encrypted virtual machines ensure that the virtual machine is powered off before beginning log in to the vcenter server system with the vsphere client right click the virtual machine that you want to change and select vm policies > edit vm storage policies you can set the storage policy for the virtual machine files, represented by vm home, and the storage policy for virtual disks select the vm encryption policy in the drop down menu to encrypt the vm and its hard disks , select an encryption storage policy and select \[ ok ] to encrypt the vm but not the virtual disks , toggle on configure per disk , select the encryption storage policy for vm home and other storage policies for the virtual disks, and select \[ ok ] (optional) if you prefer, you can encrypt the virtual machine or both the virtual machine and disks from the edit settings menu in the vsphere client perform the following steps right click the virtual machine and select edit settings go to the vm options tab and open encryption choose an encryption policy if you deselect all disks, only the vm home is encrypted select \[ ok ] if the vm encryption operation succeeds, the task status displays as completed view the key perform the following steps to view the key that vsphere created on the {{k}} log in to the {{k3}} application interface with the default admin users go to key management > keys and expand the default application key group by selecting the group name you can see the aes 256 symmetric key that vsphere created and used to encrypt the virtual machine in the previous step