You can configure full clones to use the vSphere Virtual Machine Encryption feature. You can create full-clone desktops that have the same encryption keys or, full-clone desktops with different keys.
Prerequisites
- Create the Key Management Server (KMS) cluster with key management servers.
- To create a trust between KMS and vCenter Server, accept the self signed CA certificate or create a CA signed certificate.
- In vSphere Client, create the VMcrypt/VMEncryption storage profile.
Note: For details about the Virtual Machine Encryption feature in vSphere, see the
vSphere Security document in the vSphere documentation.
Procedure
- To configure full clones that use the same encryption keys, create a VM template for all desktops to have the same encryption keys.
The clone inherits the parent encryption state including keys.
- In vSphere Client, create a VM with the vmencrypt storage policy.
- Convert the VM to a virtual machine template.
- Create full-clone desktops that point to the template VM so that all desktops have the same encryption keys.
Note: VM Encryption and Content Based Read Cache (CBRC) are not compatible. To use VM Encryption, you must disable CBRC globally by disabling View Storage Accelerator in
Horizon Console by navigating to
.
- To configure full clones that use different encryption keys, you must change the storage policy for each full-clone desktop.
- In vSphere Client, create the full-clone desktop pool and then edit the full-clone desktops.
You can also edit existing full-clone desktops.
- Navigate to each full-clone desktop and edit the storage policy and change the storage policy to vmencrypt.
Each full-clone desktop gets a different encryption key.