When you clone an encrypted virtual machine, the clone is encrypted with the same keys. To change keys for the clone, power off the clone and perform a shallow recrypt of the clone using the API. See the vSphere Web Services SDK Programming Guide.
You do not have to power off the virtual machine to clone it.
Prerequisites
- Establish a trusted connection with the KMS and select a default KMS.
- Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
- Required privileges:
- If the host encryption mode is not Enabled, you also must have privileges.
Procedure
- Connect to vCenter Server by using the vSphere Web Client.
- Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
- Right-click the virtual machine, and follow the prompts to create the clone of an encrypted virtual machine.
Option Action Select a name and folder Specify a name and target location for the clone. Select a compute resource Specify an object for which you have privileges to create encrypted virtual machines. See Prerequisites and Required Privileges for Encryption Tasks. Select storage Make a selection in the Select virtual disk format menu and select a datastore. You cannot change the storage policy as part of the clone operation. Select clone options Select clone options, as discussed in the vSphere Virtual Machine Administration documentation. Ready to complete Review the information and click Finish.
