You can improve the security of your data in VMware Cloud Director by using VM encryption. You can encrypt VMs and disks by associating them with storage policies that have the VM Encryption capability.

Encryption protects not only your virtual machine but also virtual machine disks and other files. You can view the capabilities of storage policies and the encryption status of VMs and disks in the API and UI. You can perform all operations on encrypted VMs and disks that are supported in the respective vCenter Server version.

If the organization VDC has a storage policy with enabled VM encryption, you can encrypt VMs and disks. See the Enabling VM Encryption on Storage Policies of an Organization Virtual Data Center topic in the VMware Cloud Director Service Provider Admin Guide. To encrypt a VM or disk, associate it with a VM Encryption enabled storage policy. For virtual machines, see Creating a Virtual Machine in VMware Cloud Director Tenant Portal or Change the General Properties of a Virtual Machine. For named disks, see Create a Named Disk in VMware Cloud Director or Edit a Named Disk. To decrypt a VM or disk, associate that VM or disk with a storage policy that does not have encryption enabled.

VM Encryption Limitations

The following actions are not supported in VMware Cloud Director.

  • Encrypt or decrypt a powered-on VM or its disks.
  • Export an OVF of an encrypted VM.
  • Encrypt and decrypt the disks of a VM with a snapshot if the disks are part of the snapshot.
  • Decrypt a VM when its disk is on an encrypted policy.
  • Add an encrypted disk to a non-encrypted VM.
  • Encrypt an existing disk on a non-encrypted VM.
  • Add an encrypted named disk to unencrypted VM.
  • Create an encrypted linked clone.
  • Encrypt a linked clone VM or its disks.
  • Instantiate, move, or clone VMs across vCenter Server instances when the source VM is encrypted.
  • Encrypt shared disks.
Note: On a fast-provisioned organization VDC, if the source or target VM is encrypted and you want to create a clone, VMware Cloud Director always creates a full clone.

Identifying a VM Encryption Storage Capability

By default, System administrators and Organization administrators have the necessary rights to view the organization VDC storage capabilities and whether VMs and disks are encrypted. vApp Authors can view the encryption status of a virtual machine and its disks on the Details page of the virtual machine. For more information about roles and rights, see Predefined VMware Cloud Director Roles and Their Rights.