After you set up the KMS, you can start creating encrypted virtual machines. A new virtual machine is encrypted if you create it with an encryption storage policy.
Creating an encrypted virtual machine is faster and uses fewer storage resources than encrypting an existing virtual machine. Encrypt the virtual machine as part of the creation process if possible.
Establish a trusted connection with the KMS and select a default KMS.
Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
Ensure that the virtual machine is powered off.
Verify that you have the required privileges:
If the host encryption mode is not Enabled, you also need.
- Connect to vCenter Server by using the vSphere Web Client.
- Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
- Right-click the object, select
, and follow the prompts to create an encrypted virtual machine.
Select a creation type
Create a virtual machine.
Select a name and folder
Specify a name and target location.
Select a compute resource
Specify an object for which you have privileges to create encrypted virtual machines. See Prerequisites and Required Privileges for Encryption Tasks.
Select a VM storage policy with encryption (the bundled sample is VM Encryption Policy). Select a compatible datastore.
Select the compatibility. You can migrate an encrypted virtual machine only to hosts with compatibility ESXi 6.5 and later.
Select a guest OS
Select a guest OS that you plan to install on the virtual machine later.
Customize the hardware, for example, by changing disk size or CPU.
Any New Hard disk that you add is encrypted. You can change the storage policy for individual hard disks later.
Ready to complete
Review the information and click Finish.