You can configure full clones to use the vSphere Virtual Machine Encryption feature. You can create full-clone desktops that have the same encryption keys or, full-clone desktops with different keys.
Prerequisites
- vSphere 6.5 or later.
- Create the Key Management Server (KMS) cluster with key management servers.
- To create a trust between KMS and vCenter Server, accept the self signed CA certificate or create a CA signed certificate.
- In vSphere Web Client, create the VMcrypt/VMEncryption storage profile.
- Horizon 7
Note: For details about the Virtual Machine Encryption feature in vSphere, see the
vSphere Security document in the vSphere documentation.
Procedure
- To configure full clones that use the same encryption keys, create a parent template for all desktops to have the same encryption keys.
The clone inherits the parent encryption state including keys.
- In vSphere Web Client, create a parent VM with the vmencrypt storage policy or create a parent VM and then apply the vmencrypt storage policy.
- Convert the parent VM to a virtual machine template.
- Create full-clone desktops that point to the parent template so that all desktops have the same encryption keys.
Note: Do not select the Content Based Read Cache (CBRC) feature when you create the full-clone desktop pool. The CBRC and Virtual Machine Encryption features are not compatible.
- To configure full clones that use different encryption keys, you must change the storage policy for each full-clone desktop.
- In vSphere Web Client, create the full-clone desktop pool and then edit the full-clone desktops.
You can also edit existing full-clone desktops.
- Navigate to each full-clone desktop and edit the storage policy and change the storage policy to vmencrypt.
Each full-clone desktop gets a different encryption key.
Note: Full-clone desktops with CBRC digestive disks that exist cannot get the
vmencrypt storage policy. The
vmencrypt storage policy applies only when the parent VM does not have any snapshots.