You can encrypt an existing virtual machine or virtual disk by changing its storage policy. You can encrypt virtual disks only for encrypted virtual machines.

You cannot encrypt a virtual machine by using the Edit Settings menu. You can encrypt virtual disks of an encrypted virtual machine by using the Edit Settings menu.


  • Establish a trusted connection with the KMS and select a default KMS.
  • Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
  • Ensure that the virtual machine is powered off.
  • Verify that you have the required privileges:
    • Cryptographic operations.Encrypt new
    • If the host encryption mode is not Enabled, you also need Cryptographic operations.Register host.


  1. Connect to vCenter Server by using the vSphere Web Client.
  2. Right-click the virtual machine that you want to change and select VM Policies > Edit VM Storage Policies.
    You can set the storage policy for the virtual machine files, represented by VM home, and the storage policy for virtual disks.
  3. Select the storage policy that you want to use from the drop-down menu.
    • To encrypt the VM and its hard disks, select an encryption storage policy and click Apply to all.
    • To encrypt the VM but not the virtual disks, select the encryption storage policy for VM Home and other storage policies for the virtual disks, and click Apply.
    You cannot encrypt the virtual disk of an unencrypted VM.
  4. If you prefer, you can encrypt virtual disks from the Edit Settings menu.
    1. Right-click the virtual machine and select Edit Settings
    2. Leave Virtual Hardware selected.
    3. Open the virtual disk for which you want to change the storage policy and make a selection from the VM Storage Policy drop-down menu.
    4. Click OK.