You can configure full clones to use the vSphere Virtual Machine Encryption feature. You can create full-clone desktops that have the same encryption keys or, full-clone desktops with different keys.

Prerequisites

  • vSphere 6.5 or later.

  • Create the Key Management Server (KMS) cluster with key management servers.

  • To create a trust between KMS and vCenter Server, accept the self signed CA certificate or create a CA signed certificate.

  • In vSphere Web Client, create the VMcrypt/VMEncryption storage profile.

  • Horizon 7

Note:

For details about the Virtual Machine Encryption feature in vSphere, see the vSphere Security document in the vSphere documentation.

Procedure

  1. To configure full clones that use the same encryption keys, create a parent template for all desktops to have the same encryption keys.

    The clone inherits the parent encryption state including keys.

    1. In vSphere Web Client, create a parent VM with the vmencrypt storage policy or create a parent VM and then apply the vmencrypt storage policy.
    2. Convert the parent VM to a virtual machine template.
    3. Create full-clone desktops that point to the parent template so that all desktops have the same encryption keys.
    Note:

    Do not select the Content Based Read Cache (CBRC) feature when you create the full-clone desktop pool. The CBRC and Virtual Machine Encryption features are not compatible.

  2. To configure full clones that use different encryption keys, you must change the storage policy for each full-clone desktop.
    1. In vSphere Web Client, create the full-clone desktop pool and then edit the full-clone desktops.

      You can also edit existing full-clone desktops.

    2. Navigate to each full-clone desktop and edit the storage policy and change the storage policy to vmencrypt.

      Each full-clone desktop gets a different encryption key.

    Note:

    Full-clone desktops with CBRC digestive disks that exist cannot get the vmencrypt storage policy. The vmencrypt storage policy applies only when the parent VM does not have any snapshots.