When you clone an encrypted virtual machine, the clone is encrypted with the same keys. To change keys for the clone, power off the clone and perform a shallow recrypt of the clone using the API. See the vSphere Web Services SDK Programming Guide.
You do not have to power off the virtual machine to clone it.
Establish a trusted connection with the KMS and select a default KMS.
Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
If the host encryption mode is not Enabled, you also must haveprivileges.
- Connect to vCenter Server by using the vSphere Web Client.
- Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
- Right-click the virtual machine, and follow the prompts to create the clone of an encrypted virtual machine.
Select a name and folder
Specify a name and target location for the clone.
Select a compute resource
Specify an object for which you have privileges to create encrypted virtual machines. See Prerequisites and Required Privileges for Encryption Tasks.
Make a selection in the Select virtual disk format menu and select a datastore. You cannot change the storage policy as part of the clone operation.
Select clone options
Select clone options, as discussed in the vSphere Virtual Machine Administration documentation.
Ready to complete
Review the information and click Finish.