Encryption tasks are possibly only in environments that include vCenter Server. In addition, the ESXi host must have encryption mode enabled for most encryption tasks. The user who performs the task must have the appropriate privileges. A set of Cryptographic Operations privileges allows fine-grained control. If virtual machine encryption tasks require a change to the host encryption mode, additional privileges are required.

Cryptography Privileges and Roles

By default, the user with the vCenter Server Administrator role has all privileges. The No cryptography administrator role does not have the following privileges that are required for cryptographic operations.

  • Add Cryptographic Operations privileges.

  • Global > Diagnostics

  • Host > Inventory > Add host to cluster

  • Host > Inventory > Add standalone host

  • Host > Local operations > Manage user groups

You can assign the No cryptography administrator role to vCenter Server administrators that do not need Cryptographic Operations privileges.

To further limit what users can do, you can clone the No cryptography administrator role and create a custom role with only some of the Cryptographic Operations privileges. For example, you can create a role that allows users to encrypt but not to decrypt virtual machines. See Using Roles to Assign Privileges.

Host Encryption Mode

You can encrypt virtual machines only if host encryption mode is enabled for the ESXi host. Host encryption mode is often enabled automatically, but it can be enabled explicitly. You can check and explicitly set the current host encryption mode from the vSphere Web Client or by using the vSphere API.

For instructions, see Enable Host Encryption Mode Explicitly.

After Host encryption mode is enabled, it cannot be disabled easily. See Disable Host Encryption Mode.

Automatic changes occur when encryption operations attempt to enable host encryption mode. For example, assume that you add an encrypted virtual machine to a standalone host. Host encryption mode is not enabled. If you have the required privileges on the host, encryption mode changes to enabled automatically.

Assume that a cluster has three ESXi hosts, host A, B, and C. You add an encrypted virtual machine to host A. What happens depends on several factors.

  • If hosts A, B, and C already have encryption enabled, you need only Cryptographic operations > Encrypt new privileges to create the virtual machine.

  • If hosts A and B are enabled for encryption and C is not enabled, the system proceeds as follows.

    • Assume that you have both the Cryptographic operations > Encrypt new and the Cryptographic operations > Register host privileges on each host. In that case, the virtual machine creation process enables encryption on host C. The encryption process enables host encryption mode on host C, and pushes the key to each host in the cluster.

      For this case, you can also explicitly enable host encryption on host C.

    • Assume that you have only Cryptographic operations > Encrypt new privileges on the virtual machine or virtual machine folder. In that case, virtual machine creation succeeds and the key becomes available on host A and host B. Host C remains disabled for encryption and does not have the virtual machine key.

  • If none of the hosts has encryption enabled, and you have Cryptographic operations > Register host privileges on host A, then the virtual machine creation process enables host encryption on that host. Otherwise, an error results.

Disk Space Requirements

When you encrypt an existing virtual machine, you need at least twice the space that the virtual machine is currently using.