Virtual Machine Files

Most VM files, and in particular guest data that is not stored in the VMDK file, are encrypted. This set of files includes but is not limited to the NVRAM, VSWP, and VMSN files. The key from the key provider unlocks an encrypted bundle in the VMX file that contains internal keys and other secrets. The key retrieval works as follows, depending on the key provider:

• Standard key provider: vCenter Server manages the keys from the key server and ESXi hosts cannot directly access the key provider. The hosts wait for vCenter Server to push the keys.

• Trusted key provider and vSphere Native Key Provider: The ESXi hosts directly access the key providers, and so fetch the requested keys either from the vSphere Trust Authority service directly or the vSphere Native Key Provider.

When vSphere Client is used to create an encrypted VM, virtual disks can be encrypted or decrypted separately from VM files. All virtual disks are encrypted by default. For other encryption tasks, such as encrypting an existing VM, virtual disks can be encrypted and decrypted separate from VM files.

Virtual Disk Files

Data in an encrypted virtual disk (VMDK) file is not written in cleartext to storage or physical disk and is not transmitted over the network in cleartext. The VMDK descriptor file is mostly cleartext, but contains a key ID for the KEK and the internal key (DEK) in the encrypted bundle. The vSphere API can be used to perform either a shallow recrypt operation with a new KEK or deep recrypt operation with a new internal key.

Core Dumps

Core dumps on an ESXi host that has encryption mode enabled are always encrypted. For details, see vSphere Virtual Machine Encryption and Core Dumps. Core dumps on the vCenter Server system are not encrypted. Protect access to the vCenter Server system.