In VMware Cloud Director, you can add an encryption-enabled storage policy to an organization VDC. You can encrypt VMs and disks by associating a VM or disk with a storage policy that has the VM Encryption capability.

You can improve the security of your data by using VM encryption. Encryption protects not only your virtual machine but also virtual machine disks and other files. You can view the capabilities of storage policies and the encryption status of VMs and disks in the API and UI. You can perform all operations on encrypted VMs and disks that are supported in the respective vCenter Server version.

If the provider VDC has a storage policy with enabled VM Encryption, you can add the encryption-enabled policy to an organization VDC. See Enabling VM Encryption on Storage Policies of a Provider Virtual Data Center and Add a VM Storage Policy to an Organization Virtual Data Center. After that, by using the VMware Cloud Director Tenant Portal, tenants can associate a VM or disk with a storage policy with enabled VM Encryption.

VM Encryption Limitations

The following actions are not supported.

  • Encrypt or decrypt a powered-on VM or its disks.
  • Export an OVF of an encrypted VM.
  • Encrypt and decrypt the disks of a VM with a snapshot if the disks are part of the snapshot.
  • Decrypt a VM when its disk is on an encrypted policy.
  • Add an encrypted disk to a non-encrypted VM.
  • Encrypt an existing disk on a non-encrypted VM.
  • Add an encrypted named disk to unencrypted VM.
  • Create an encrypted linked clone.
  • Encrypt a linked clone VM or its disks.
  • Instantiate, move, or clone VMs across vCenter Server instances when the source VM is encrypted.
Note: On a fast-provisioned organization VDC, if the source or target VM is encrypted and you want to create a clone, VMware Cloud Director always creates a full clone.

Identifying a VM Encryption Storage Capability

By default, System administrators and Organization administrators have the necessary rights to view the organization VDC storage capabilities and whether VMs and disks are encrypted. vApp Authors can view the encryption status of VMs and disks. For more information about roles and rights, see Predefined Roles and Their Rights.

You can view all storage capabilities in the Capabilities column under Resources > vSphere Resources > Storage Policies. This column displays the VM encryption, tag-based association, vSAN , and IOPS limiting storage capabilities. To view the full list of storage capabilities, expand the row by clicking the arrow on the left side of the storage policy name.

You can also view the storage capability information in the Storage tab of an organization VDC.