You can configure full clones to use the vSphere Virtual Machine Encryption feature. You can create full-clone desktops that have the same encryption keys or, full-clone desktops with different keys.

Prerequisites

  • Create the Key Management Server (KMS) cluster with key management servers.
  • To create a trust between KMS and vCenter Server, accept the self signed CA certificate or create a CA signed certificate.
  • In vSphere Client, create the VMcrypt/VMEncryption storage profile.
Note: For details about the Virtual Machine Encryption feature in vSphere, see the vSphere Security document in the vSphere documentation.

Procedure

  1. To configure full clones that use the same encryption keys, create a VM template for all desktops to have the same encryption keys.
    The clone inherits the parent encryption state including keys.
    1. In vSphere Client, create a VM with the vmencrypt storage policy.
    2. Convert the VM to a virtual machine template.
    3. Create full-clone desktops that point to the template VM so that all desktops have the same encryption keys.
    Note: VM Encryption and Content Based Read Cache (CBRC) are not compatible. To use VM Encryption, you must disable CBRC globally by disabling View Storage Accelerator in Horizon Console by navigating to Settings > Servers.
  2. To configure full clones that use different encryption keys, you must change the storage policy for each full-clone desktop.
    1. In vSphere Client, create the full-clone desktop pool and then edit the full-clone desktops.
      You can also edit existing full-clone desktops.
    2. Navigate to each full-clone desktop and edit the storage policy and change the storage policy to vmencrypt.
      Each full-clone desktop gets a different encryption key.