You can add an encryption-enabled storage policy to a provider VDC. You can encrypt VMs and disks by associating a VM or disk with a storage policy that has the VM Encryption capability.

Starting with VMware Cloud Director 10.1, you can improve the security of your data by using VM encryption. Encryption protects not only your virtual machine but also virtual machine disks and other files. You can view the capabilities of storage policies and the encryption status of VMs and disks in the API and UI. You can perform all operations on encrypted VMs and disks that are supported in the respective vCenter Server version.

Enabling VM Encryption

To encrypt VMs in VMware Cloud Director, you must configure at least one Key Management Server (KMS) on your vCenter Server instance and associate the VMs and disks with a storage policy that has the VM Encryption capability.

  1. In vCenter Server, add a KMS cluster. A vCenter Server instance can have multiple KMS clusters. For information about setting up a Key Management Server cluster, see the Set up the Key Management Server Cluster topic in the vSphere Security Guide.
  2. In vCenter Server, enable encryption on a storage policy. See the Create an Encryption Storage Policy topic in the vSphere Security Guide.
  3. In the VMware Cloud Director Service Provider Admin Portal , add the encryption-enabled policy to a provider VDC. See Add a VM Storage Policy to a Provider Virtual Data Center.
  4. In the VMware Cloud Director Service Provider Admin Portal , add the encryption-enabled policy to an organization VDC. See Add a VM Storage Policy to an Organization Virtual Data Center.
  5. In the VMware Cloud Director Tenant Portal , tenants can associate the VM or disk with a storage policy with enabled VM Encryption.
  6. To decrypt a VM or disk, tenants can associate that VM or disk with a storage policy that does not have encryption enabled.

VM Encryption Limitations

The following actions are not supported in VMware Cloud Director.

  • Encrypt or decrypt a powered-on VM or its disks.
  • Export an OVF of an encrypted VM.
  • Encrypt and decrypt the disks of a VM with a snapshot if the disks are part of the snapshot.
  • Decrypt a VM when its disk is on an encrypted policy.
  • Add an encrypted disk to a non-encrypted VM.
  • Encrypt an existing disk on a non-encrypted VM.
  • Add an encrypted named disk to unencrypted VM.
  • Create an encrypted linked clone.
  • Encrypt a linked clone VM or its disks.
  • Instantiate, move, or clone VMs across vCenter Server instances when the source VM is encrypted.
Note: On a fast-provisioned organization VDC, if the source or target VM is encrypted and you want to create a clone, VMware Cloud Director always creates a full clone.

Identifying a VM Encryption Storage Capability

By default, System administrators and Organization administrators have the necessary rights to view the organization VDC storage capabilities and whether VMs and disks are encrypted. vApp Authors can view the encryption status of VMs and disks. For more information about roles and rights, see Predefined Roles and Their Rights.

You can view all storage capabilities in the Capabilities column under Resources > vSphere Resources > Storage Policies. This column displays the VM encryption, tag-based association, vSAN , and IOPS limiting storage capabilities. To view the full list of storage capabilities, expand the row by clicking the arrow on the left side of the storage policy name.

You can also view the storage capability information in the Storage Policies tab of a provider VDC.